• Home
• org.sonarsource.javascript
• javascript-checks
• 10.11.0.25043
• source code
• S6281.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S6281.html Maven / Gradle / Ivy

By default S3 buckets are private, it means that only the bucket owner can access it.
This access control can be relaxed with ACLs or policies.
To prevent permissive policies or ACLs to be set on a S3 bucket the following booleans settings can be enabled:

  
 blockPublicAcls: to block or not public ACLs to be set to the S3 bucket. 
  
 ignorePublicAcls: to consider or not existing public ACLs set to the S3 bucket. 
  
 blockPublicPolicy: to block or not public policies to be set to the S3 bucket. 
  
 restrictPublicBuckets: to restrict or not the access to the S3 endpoints of public policies to the principals within the bucket
  owner account. 

The other attribute BlockPublicAccess.BLOCK_ACLS only turns on blockPublicAcls and ignorePublicAcls. The
public policies can still affect the S3 bucket.
However, all of those options can be enabled by setting the blockPublicAccess property of the S3 bucket to
BlockPublicAccess.BLOCK_ALL.
Ask Yourself Whether

  
 The S3 bucket stores sensitive data. 
  
 The S3 bucket is not used to store static resources of websites (images, css …​). 
  
 Many users have the permission to set ACL or policy to the S3 bucket. 
  
 These settings are not already enforced to true at the account level. 

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to configure:

  
 blockPublicAcls to True to block new attempts to set public ACLs. 
  
 ignorePublicAcls to True to block existing public ACLs. 
  
 blockPublicPolicy to True to block new attempts to set public policies. 
  
 restrictPublicBuckets to True to restrict existing public policies. 

Sensitive Code Example
By default, when not set, the blockPublicAccess is fully deactivated (nothing is blocked):
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket'
}); // Sensitive

This block_public_access allows public ACL to be set:
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: new s3.BlockPublicAccess({
        blockPublicAcls         : false, // Sensitive
        blockPublicPolicy       : true,
        ignorePublicAcls        : true,
        restrictPublicBuckets   : true
    })
});

The attribute BLOCK_ACLS only blocks and ignores public ACLs:
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS // Sensitive
});

Compliant Solution
This blockPublicAccess blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
});

A similar configuration to the one above can be obtained by setting all parameters of the blockPublicAccess
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: new s3.BlockPublicAccess({
        blockPublicAcls         : true,
        blockPublicPolicy       : true,
        ignorePublicAcls        : true,
        restrictPublicBuckets   : true
    })
});

See

  
 OWASP Top 10 2021 Category A1 - Broken Access Control 
  
 OWASP Top 10 2021 Category A5 - Security Misconfiguration 
  
 AWS Documentation - Blocking public
  access to your Amazon S3 storage 
  
 MITRE, CWE-284 - Improper Access Control 
  
 OWASP Top 10 2017 Category A5 - Broken Access Control
  
  
 AWS CDK version 2 - BlockPublicAccess