org.sonar.l10n.py.rules.python.S6270.html Maven / Gradle / Ivy
Resource-based policies granting access to all users can lead to information leakage.
Ask Yourself Whether
- The AWS resource stores or processes sensitive data.
- The AWS resource is designed to be private.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to implement the least privilege principle, i.e. to grant necessary permissions only to users for their required tasks. In the
context of resource-based policies, list the principals that need the access and grant to them only the required privileges.
Sensitive Code Example
This policy allows all users, including anonymous ones, to access an S3 bucket:
from aws_cdk.aws_iam import PolicyStatement, AnyPrincipal, Effect
from aws_cdk.aws_s3 import Bucket
bucket = Bucket(self, "ExampleBucket")
bucket.add_to_resource_policy(PolicyStatement(
effect=Effect.ALLOW,
actions=["s3:*"],
resources=[bucket.arn_for_objects("*")],
principals=[AnyPrincipal()] # Sensitive
))
Compliant Solution
This policy allows only the authorized users:
from aws_cdk.aws_iam import PolicyStatement, AccountRootPrincipal, Effect
from aws_cdk.aws_s3 import Bucket
bucket = Bucket(self, "ExampleBucket")
bucket.add_to_resource_policy(PolicyStatement(
effect=Effect.ALLOW,
actions=["s3:*"],
resources=[bucket.arn_for_objects("*")],
principals=[AccountRootPrincipal()]
))
See
- AWS Documentation - Grant least
privilege
- CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
- CWE - CWE-284 - Improper Access Control
- STIG Viewer - Application Security and
Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.
© 2015 - 2024 Weber Informatics LLC | Privacy Policy