# ################################### ## Rule Specification ## ##################################### # # Rule Identifier: # s3_bucket_level_public_access_prohibited_check # # Description: # This control checks whether your Amazon Simple Storage Service (Amazon S3) bucket has a bucket-level Block Public Access (BPA) configuration. # # Reports on: # AWS::S3::Bucket # # Evaluates: # AWS CloudFormation, AWS CloudFormation hook # # Rule Parameters: # None # # Scenarios: # Scenario: 1 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document does not contain any Amazon S3 bucket resources # Then: SKIP # Scenario: 2 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an Amazon S3 bucket resource # And: 'PublicAccessBlockConfiguration' has not been provided # Then: FAIL # Scenario: 3 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an Amazon S3 bucket resource # And: 'PublicAccessBlockConfiguration' has been provided # And: 'BlockPublicAcls' or 'BlockPublicPolicy' or 'IgnorePublicAcls' or 'RestrictPublicBuckets' # have not been provided # Then: FAIL # Scenario: 4 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an Amazon S3 bucket Resource # And: 'PublicAccessBlockConfiguration' has been provided # And: Any of 'BlockPublicAcls' or 'BlockPublicPolicy' or 'IgnorePublicAcls' or 'RestrictPublicBuckets' # have been set to a value other than bool(true) (e.g. bool(false), str(false), other) # Then: FAIL # Scenario: 5 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an Amazon S3 bucket Resource # And: 'PublicAccessBlockConfiguration' has been provided # And: 'BlockPublicAcls' or 'BlockPublicPolicy' or 'IgnorePublicAcls' or 'RestrictPublicBuckets' # have all been set to bool(true) # Then: PASS # # Constants # let S3_BUCKET_TYPE = "AWS::S3::Bucket" let INPUT_DOCUMENT = this # # Assignments # let s3_buckets = Resources.*[ Type == %S3_BUCKET_TYPE ] # # Primary Rules # rule s3_bucket_level_public_access_prohibited_check when is_cfn_template(%INPUT_DOCUMENT) %s3_buckets not empty { check(%s3_buckets.Properties) << [CT.S3.PR.1]: Require an Amazon S3 bucket to have block public access settings configured [FIX]: The parameters 'BlockPublicAcls', 'BlockPublicPolicy', 'IgnorePublicAcls', 'RestrictPublicBuckets' must be set to true under the bucket-level 'PublicAccessBlockConfiguration'. >> } rule s3_bucket_level_public_access_prohibited_check when is_cfn_hook(%INPUT_DOCUMENT, %S3_BUCKET_TYPE) { check(%INPUT_DOCUMENT.%S3_BUCKET_TYPE.resourceProperties) << [CT.S3.PR.1]: Require an Amazon S3 bucket to have block public access settings configured [FIX]: The parameters 'BlockPublicAcls', 'BlockPublicPolicy', 'IgnorePublicAcls', 'RestrictPublicBuckets' must be set to true under the bucket-level 'PublicAccessBlockConfiguration'. >> } # # Parameterized Rules # rule check(s3_bucket) { %s3_bucket { # Scenario 2 PublicAccessBlockConfiguration exists PublicAccessBlockConfiguration is_struct PublicAccessBlockConfiguration { # Scenario 3 BlockPublicAcls exists BlockPublicPolicy exists IgnorePublicAcls exists RestrictPublicBuckets exists # Scenarios 4 and 5 BlockPublicAcls == true BlockPublicPolicy == true IgnorePublicAcls == true RestrictPublicBuckets == true } } } # # Utility Rules # rule is_cfn_template(doc) { %doc { AWSTemplateFormatVersion exists or Resources exists } } rule is_cfn_hook(doc, RESOURCE_TYPE) { %doc.%RESOURCE_TYPE.resourceProperties exists }