• Home
• org.sonarsource.javascript
• javascript-checks
• 10.22.0.32148
• source code
• S6249.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S6249.html Maven / Gradle / Ivy

By default, S3 buckets can be accessed through HTTP and HTTPs protocols.
As HTTP is a clear-text protocol, it lacks the encryption of transported data, as well as the capability to build an authenticated connection. It
means that a malicious actor who is able to intercept traffic from the network can read, modify or corrupt the transported content.
Ask Yourself Whether

  
 The S3 bucket stores sensitive information. 
  
 The infrastructure has to comply with AWS Foundational Security Best Practices standard. 

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to enforce HTTPS only access by setting enforceSSL property to true
Sensitive Code Example
S3 bucket objects access through TLS is not enforced by default:
const s3 = require('aws-cdk-lib/aws-s3');

const bucket = new s3.Bucket(this, 'example'); // Sensitive

Compliant Solution
const s3 = require('aws-cdk-lib/aws-s3');

const bucket = new s3.Bucket(this, 'example', {
    bucketName: 'example',
    versioned: true,
    publicReadAccess: false,
    enforceSSL: true
});

See

  
 AWS documentation - Enforce encryption
  of data in transit 
  
 AWS Foundational Security
  Best Practices controls - S3 buckets should require requests to use Secure Socket Layer 
  
 CWE - CWE-319 - Cleartext Transmission of Sensitive Information 
  
 AWS CDK version 2 - Bucket