Migrate S3 resources to cfn-guard ruleset

aws-cloudformation · Mar 19, 2024 · 7fcfa6b · 7fcfa6b
1 parent 946508c
commit 7fcfa6b
Show file tree

Hide file tree

Showing 16 changed files with 1,268 additions and 1 deletion.
diff --git a/rules/aws/amazon_s3/s3_bucket_logging_enabled.guard b/rules/aws/amazon_s3/s3_bucket_logging_enabled.guard
@@ -28,6 +28,8 @@
 #
 
 let s3_buckets_bucket_logging_enabled = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.cfn_nag.rules_to_suppress not exists or 
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W35"
   Metadata.guard.SuppressedRules not exists or
   Metadata.guard.SuppressedRules.* != "S3_BUCKET_LOGGING_ENABLED"
 ]

diff --git a/rules/aws/amazon_s3/s3_bucket_policy_no_allow_plus_not_action.guard b/rules/aws/amazon_s3/s3_bucket_policy_no_allow_plus_not_action.guard
@@ -0,0 +1,52 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#   S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION
+#
+# Description:
+#   Checks that SIMPLE STORAGE SERVICE (S3) TOPIC Policy do not use Allow+NotAction
+#
+# Reports on:
+#   AWS::S3::BucketPolicy
+#
+# Evaluates:
+#   AWS CloudFormation
+#
+# Rule Parameters:
+#   NA
+#
+# CFN_NAG Rule Id:
+#   W20
+#
+# Documentation:
+# https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
+#
+# Scenarios:
+# a) SKIP: when there are no S3 Bucket Policies present
+# b) PASS: when all S3 Bucket Policies do not use Allow+NotAction
+# c) FAIL: when any S3 Bucket Policies allow both Effect: Allow and NotAction
+# d) SKIP: when metadata has rule suppression for S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION or CFN_NAG W20
+
+let s3_bucket_policy_no_allow_plus_not_action = Resources.*[ Type == 'AWS::S3::BucketPolicy'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W20"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION"
+]
+
+rule S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION when %s3_bucket_policy_no_allow_plus_not_action !empty {
+  let violations = %s3_bucket_policy_no_allow_plus_not_action[
+    Type == 'AWS::S3::BucketPolicy'
+    some Properties.PolicyDocument.Statement[*] {
+      Effect == "Allow"
+      NotAction exists
+    }
+  ]
+  %violations empty
+  <<
+    Violation: S3 BucketPolicy should not allow Allow+NotAction
+    Fix: Remove S3 Bucket Policies that match {"Effect": "Allow", "NotAction": ... }
+  >>
+}
diff --git a/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_action.guard b/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_action.guard
@@ -0,0 +1,51 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_POLICY_NO_WILDCARD_ACTION
+#
+# Description:
+#   S3 Bucket policy should not allow * action
+#
+# Reports on:
+#    AWS::S3::BucketPolicy
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   F15
+#
+# Scenarios:
+# a) SKIP: when there is no S3 BucketPolicy resource present
+# b) PASS: when no S3 BucketPolicy resources have open Action
+# c) FAIL: when any S3 resources has Action "*"
+# d) SKIP: when metada has rule suppression for S3_BUCKET_POLICY_NO_WILDCARD_ACTION
+
+#
+# Select all S3 BucketPolicy resources from incoming template (payload)
+#
+let s3_bucket_policy_no_wildcard_action = Resources.*[ Type == 'AWS::S3::BucketPolicy'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "F15"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_POLICY_NO_WILDCARD_ACTION"
+]
+
+rule S3_BUCKET_POLICY_NO_WILDCARD_ACTION when %s3_bucket_policy_no_wildcard_action !empty {
+  let violations = %s3_bucket_policy_no_wildcard_action[
+    some Properties.PolicyDocument.Statement[*] {
+      some Action[*] in ["*", /^[a-zA-Z0-9]*:\*$/]
+      Effect == "Allow"
+    }
+  ]
+  %violations empty
+  <<
+    Violation: S3 Bucket policy should not allow * action.
+    Fix: Specify explicit actions in the S3 BucketPolicy
+  >>
+}
diff --git a/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_principal.guard b/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_principal.guard
@@ -0,0 +1,51 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_POLICY_NO_WILDCARD_PRINCIPAL
+#
+# Description:
+#   S3 Bucket policy should not allow * principal
+#
+# Reports on:
+#    AWS::S3::BucketPolicy
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   F16
+#
+# Scenarios:
+# a) SKIP: when there is no S3 BucketPolicy resource present
+# b) PASS: when no S3 BucketPolicy resources have open Principal
+# c) FAIL: when any S3 resources has Principal "*"
+# d) SKIP: when metada has rule suppression for S3_BUCKET_POLICY_NO_WILDCARD_PRINCIPAL
+
+#
+# Select all S3 BucketPolicy resources from incoming template (payload)
+#
+let s3_bucket_policy_no_wildcard_principal = Resources.*[ Type == 'AWS::S3::BucketPolicy'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "F16"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_POLICY_NO_WILDCARD_PRINCIPAL"
+]
+
+rule S3_BUCKET_POLICY_NO_WILDCARD_PRINCIPAL when %s3_bucket_policy_no_wildcard_principal !empty {
+  let violations = %s3_bucket_policy_no_wildcard_principal[
+    some Properties.PolicyDocument.Statement[*] {
+      Principal == "*"
+      Effect == "Allow"
+    }
+  ]
+  %violations empty
+  <<
+    Violation: S3 Bucket policy should not allow * principal
+    Fix: Specify explicit principals in the S3 BucketPolicy
+  >>
+}
diff --git a/rules/aws/amazon_s3/s3_bucket_public_read_acl.guard b/rules/aws/amazon_s3/s3_bucket_public_read_acl.guard
@@ -0,0 +1,48 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_PUBLIC_READ_ACL
+#
+# Description:
+#   Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly readable via the public ACL
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   W31
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when no S3 resources have PublicRead ACL applied at the bucket level
+# c) FAIL: when any S3 resources has PublicRead ACL
+# d) SKIP: when metadata has rule suppression for S3_BUCKET_PUBLIC_READ_ACL
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+let s3_bucket_public_read_acl = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W31"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_PUBLIC_READ_ACL"
+]
+
+rule S3_BUCKET_PUBLIC_READ_ACL when %s3_bucket_public_read_acl !empty {
+  let violations = %s3_bucket_public_read_acl[
+    Properties.AccessControl == 'PublicRead'
+  ]
+  %violations empty
+  <<
+    Violation: S3 Bucket should not have the PublicRead ALC.
+    Fix: Allow Read access only to authorized, authenticated users.
+  >>
+}
diff --git a/rules/aws/amazon_s3/s3_bucket_public_rw_acl.guard b/rules/aws/amazon_s3/s3_bucket_public_rw_acl.guard
@@ -0,0 +1,45 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_NO_PUBLIC_RW_ACL
+#
+# Description:
+#   Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly readable via the public ACL
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   F14
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when no S3 resources have PublicReadWrite ACL applied at the bucket level
+# c) FAIL: when any S3 resources has PublicReadWrite ACL
+# d) SKIP: when metada has rule suppression for S3_BUCKET_NO_PUBLIC_RW_ACL
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+let s3_bucket_public_rw_acl = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "F14"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_NO_PUBLIC_RW_ACL"
+]
+
+rule S3_BUCKET_NO_PUBLIC_RW_ACL when %s3_bucket_public_rw_acl !empty {
+  %s3_bucket_public_rw_acl.Properties.AccessControl != 'PublicReadWrite'
+  <<
+    Violation: S3 Bucket should not have the PublicReadWrite ACL.
+    Fix: Allow ReadWrite access only to authorized, authenticated users.
+  >>
+}
diff --git a/rules/aws/amazon_s3/s3_bucket_server_side_encryption_enabled.guard b/rules/aws/amazon_s3/s3_bucket_server_side_encryption_enabled.guard
@@ -29,6 +29,8 @@
 #
 
 let s3_buckets_server_side_encryption = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.cfn_nag.rules_to_suppress not exists or 
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W41"
   Metadata.guard.SuppressedRules not exists or
   Metadata.guard.SuppressedRules.* != "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
 ]

diff --git a/rules/aws/amazon_s3/s3_bucketpolicy_no_allow_plus_notprincipal.guard b/rules/aws/amazon_s3/s3_bucketpolicy_no_allow_plus_notprincipal.guard
@@ -0,0 +1,54 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#   S3_BUCKETPOLICY_NO_ALLOW_PLUS_NOTPRINCIPAL
+#
+# Description:
+#   Checks that Amazon S3 BucketPolicies do not use Effect:Allow with NotPrincipal
+#
+# Reports on:
+#   AWS::S3::BucketPolicy
+#
+# Evaluates:
+#   AWS CloudFormation
+#
+# Rule Parameters:
+#   NA
+# 
+# CFN_NAG Rule Id:
+#   F9
+#
+# Documentation:
+# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
+#
+# Scenarios:
+# a) SKIP: when there are no S3 BucketPolicies present
+# b) PASS: when all S3 BucketPolicies do not Allow with NotPrincipal
+# c) FAIL: when any S3 BucketPolicies PolicyDocument statement has both Effect: Allow and NotPrincipal
+# d) SKIP: when metada has rule suppression for S3_BUCKETPOLICY_NO_ALLOW_PLUS_NOTPRINCIPAL or CFN_NAG F9
+
+#
+# Select all S3 BucketPolicy resources from incoming template (payload)
+# 
+let aws_s3_bucketpolicy_resources = Resources.*[ Type == 'AWS::S3::BucketPolicy'
+  Metadata.cfn_nag.rules_to_suppress not exists or 
+  Metadata.cfn_nag.rules_to_suppress.*.id != "F9"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKETPOLICY_NO_ALLOW_PLUS_NOTPRINCIPAL" 
+]
+
+rule S3_BUCKETPOLICY_NO_ALLOW_PLUS_NOTPRINCIPAL when %aws_s3_bucketpolicy_resources !empty {
+  let violations = %aws_s3_bucketpolicy_resources[
+    some Properties.PolicyDocument.Statement[*] {
+      Effect == "Allow"
+      NotPrincipal exists
+    }
+  ]
+  %violations empty
+  <<
+    Violation: S3 Bucket policy should not allow Allow+NotPrincipal
+    Fix: Remove policy statements that match {"Effect": "Allow", "NotPrincipal": ... }
+  >>
+} 
diff --git a/rules/aws/amazon_s3/tests/s3_bucket_logging_enabled_tests.yml b/rules/aws/amazon_s3/tests/s3_bucket_logging_enabled_tests.yml
@@ -56,3 +56,19 @@
   expectations:
     rules:
       S3_BUCKET_LOGGING_ENABLED: SKIP
+
+- name: S3 Bucket with Logging Configuration missing with suppression, SKIP
+  input:
+    Resources:
+      ExampleS3:
+        Type: AWS::S3::Bucket
+        Metadata:
+          cfn_nag:
+            rules_to_suppress:
+            - id: W35
+              reason: Suppressed for a very good reason
+        Properties:
+          BucketName: my-bucket
+  expectations:
+    rules:
+      S3_BUCKET_LOGGING_ENABLED: SKIP