[Bug]: False Positive on check s3_bucket_public_access when Conditions in Policy #4257
Comments
|
If you set Block Public Access on the bucket or account this should go away while still working as intended. Ideally you should use IAM to grant S3 access and not allow anonymous access like this. I'm currently working on a PR to standardize resource policy checks for public access and access from untrusted accounts. This condition should probably pass a public access check but fail a trust boundary check, as it's not feasible to verify that access is coming from a trusted account via source network conditions. |
|
@mtronrd you are right but this check is only reviewing the bucket's configuration. We are actively working to fix that in the check. I'm happy to hear that you are working on that, please let us know if you need something. |
jfagoagas
added
provider/aws
|
Hi @jmanduca-psfy I am working on your problem, please can you test now the check in this PR and send some feedback. Thanks for the reporting and for using Prowler 🚀 |
|
Thank you @puchy22 for working on this! Looks good except for an issue I commented in the PR. |
Steps to Reproduce
Expected behavior
S3 Bucket sample-restricted-bucket should have passed the check.
Actual Result with Screenshots or Logs
Failed check: S3 Bucket sample-restricted-bucket has public access due to bucket policy.
How did you install Prowler?
From pip package (pip install prowler)
Environment Resource
OS used
Prowler version
Prowler 4.2.4
Pip version
pip 22.0.2 from /usr/lib/python3/dist-packages/pip (python 3.10)
Context
The check only looks for Principal = "*" and Effect = "Allow" without investigating other contexts to the statement, such as Conditions or Resources.
prowler/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py
Line 51 in 61b9ecc
EX. For this policy, the check should pass as the condition restricts public access:
{ "Sid": "AllowVPCAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::sample-restricted-bucket/*", "arn:aws:s3:::sample-restricted-bucket" ], "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678abcdef" } } }The text was updated successfully, but these errors were encountered: