aws-s3-public-policy¶
Ensure S3 bucket does not allow an action with any Principal (i.e. anyone on the Internet)
Using a wildcard (*) in the principal element specifies basically means public access to anyone on the Internet.
There are valid reasons to use this if the content in the bucket is indeed meant to be viewed by anyone (such as the static resources of a website), but it rarely is valid to allow this for PutObject
action for instance.
The following elements are equivalent:
"Principal": "*"
"Principal" : { "AWS" : "*" }
Examples¶
Insecure Example
resource "aws_s3_bucket" "hello-world-bucket" {
bucket = "hello-world-bucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::hello-world-bucket/content/*"
]
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::hello-world-bucket/content/*"
]
}
]
}
EOF
}
Secure Example
resource "aws_s3_bucket" "hello-world-bucket" {
bucket = "hello-world-bucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::hello-world-bucket/content/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "${aws_iam_user.someadmin.arn}"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::hello-world-bucket/content/*"
]
}
]
}
EOF
}