From 7fcfa6b90902cd3ac05c9293452dbafa8fb19507 Mon Sep 17 00:00:00 2001 From: ysdholak Date: Tue, 19 Mar 2024 12:12:40 -0700 Subject: [PATCH] Migrate S3 resources to cfn-guard ruleset --- .../amazon_s3/s3_bucket_logging_enabled.guard | 2 + ...cket_policy_no_allow_plus_not_action.guard | 52 ++++ .../s3_bucket_policy_no_wildcard_action.guard | 51 ++++ ..._bucket_policy_no_wildcard_principal.guard | 51 ++++ .../amazon_s3/s3_bucket_public_read_acl.guard | 48 ++++ .../amazon_s3/s3_bucket_public_rw_acl.guard | 45 ++++ ...ucket_server_side_encryption_enabled.guard | 2 + ...ketpolicy_no_allow_plus_notprincipal.guard | 54 +++++ .../tests/s3_bucket_logging_enabled_tests.yml | 16 ++ ..._policy_no_allow_plus_not_action_tests.yml | 129 ++++++++++ ...bucket_policy_no_wildcard_action_tests.yml | 227 ++++++++++++++++++ ...ket_policy_no_wildcard_principal_tests.yml | 199 +++++++++++++++ .../tests/s3_bucket_public_read_acl_tests.yml | 123 ++++++++++ .../tests/s3_bucket_public_rw_acl_tests.yml | 123 ++++++++++ ...t_server_side_encryption_enabled_tests.yml | 18 +- ...olicy_no_allow_plus_notprincipal_tests.yml | 129 ++++++++++ 16 files changed, 1268 insertions(+), 1 deletion(-) create mode 100644 rules/aws/amazon_s3/s3_bucket_policy_no_allow_plus_not_action.guard create mode 100644 rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_action.guard create mode 100644 rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_principal.guard create mode 100644 rules/aws/amazon_s3/s3_bucket_public_read_acl.guard create mode 100644 rules/aws/amazon_s3/s3_bucket_public_rw_acl.guard create mode 100644 rules/aws/amazon_s3/s3_bucketpolicy_no_allow_plus_notprincipal.guard create mode 100644 rules/aws/amazon_s3/tests/s3_bucket_policy_no_allow_plus_not_action_tests.yml create mode 100644 rules/aws/amazon_s3/tests/s3_bucket_policy_no_wildcard_action_tests.yml create mode 100644 rules/aws/amazon_s3/tests/s3_bucket_policy_no_wildcard_principal_tests.yml create mode 100644 rules/aws/amazon_s3/tests/s3_bucket_public_read_acl_tests.yml create mode 100644 rules/aws/amazon_s3/tests/s3_bucket_public_rw_acl_tests.yml create mode 100644 rules/aws/amazon_s3/tests/s3_bucketpolicy_no_allow_plus_notprincipal_tests.yml diff --git a/rules/aws/amazon_s3/s3_bucket_logging_enabled.guard b/rules/aws/amazon_s3/s3_bucket_logging_enabled.guard index 6067734..6905ea0 100644 --- a/rules/aws/amazon_s3/s3_bucket_logging_enabled.guard +++ b/rules/aws/amazon_s3/s3_bucket_logging_enabled.guard @@ -28,6 +28,8 @@ # let s3_buckets_bucket_logging_enabled = Resources.*[ Type == 'AWS::S3::Bucket' + Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress.*.id != "W35" Metadata.guard.SuppressedRules not exists or Metadata.guard.SuppressedRules.* != "S3_BUCKET_LOGGING_ENABLED" ] diff --git a/rules/aws/amazon_s3/s3_bucket_policy_no_allow_plus_not_action.guard b/rules/aws/amazon_s3/s3_bucket_policy_no_allow_plus_not_action.guard new file mode 100644 index 0000000..c9a78b9 --- /dev/null +++ b/rules/aws/amazon_s3/s3_bucket_policy_no_allow_plus_not_action.guard @@ -0,0 +1,52 @@ +# +##################################### +## AWS Solutions ## +##################################### +# Rule Identifier: +# S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION +# +# Description: +# Checks that SIMPLE STORAGE SERVICE (S3) TOPIC Policy do not use Allow+NotAction +# +# Reports on: +# AWS::S3::BucketPolicy +# +# Evaluates: +# AWS CloudFormation +# +# Rule Parameters: +# NA +# +# CFN_NAG Rule Id: +# W20 +# +# Documentation: +# https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html +# +# Scenarios: +# a) SKIP: when there are no S3 Bucket Policies present +# b) PASS: when all S3 Bucket Policies do not use Allow+NotAction +# c) FAIL: when any S3 Bucket Policies allow both Effect: Allow and NotAction +# d) SKIP: when metadata has rule suppression for S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION or CFN_NAG W20 + +let s3_bucket_policy_no_allow_plus_not_action = Resources.*[ Type == 'AWS::S3::BucketPolicy' + Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress.*.id != "W20" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION" +] + +rule S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION when %s3_bucket_policy_no_allow_plus_not_action !empty { + let violations = %s3_bucket_policy_no_allow_plus_not_action[ + Type == 'AWS::S3::BucketPolicy' + some Properties.PolicyDocument.Statement[*] { + Effect == "Allow" + NotAction exists + } + ] + %violations empty + << + Violation: S3 BucketPolicy should not allow Allow+NotAction + Fix: Remove S3 Bucket Policies that match {"Effect": "Allow", "NotAction": ... } + >> +} diff --git a/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_action.guard b/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_action.guard new file mode 100644 index 0000000..81feed0 --- /dev/null +++ b/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_action.guard @@ -0,0 +1,51 @@ +# +##################################### +## AWS Solutions ## +##################################### +# Rule Identifier: +# S3_BUCKET_POLICY_NO_WILDCARD_ACTION +# +# Description: +# S3 Bucket policy should not allow * action +# +# Reports on: +# AWS::S3::BucketPolicy +# +# Evaluates: +# AWS CloudFormation +# +# Rule Parameters: +# NA +# +# CFN_NAG Rule Id: +# F15 +# +# Scenarios: +# a) SKIP: when there is no S3 BucketPolicy resource present +# b) PASS: when no S3 BucketPolicy resources have open Action +# c) FAIL: when any S3 resources has Action "*" +# d) SKIP: when metada has rule suppression for S3_BUCKET_POLICY_NO_WILDCARD_ACTION + +# +# Select all S3 BucketPolicy resources from incoming template (payload) +# +let s3_bucket_policy_no_wildcard_action = Resources.*[ Type == 'AWS::S3::BucketPolicy' + Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress.*.id != "F15" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "S3_BUCKET_POLICY_NO_WILDCARD_ACTION" +] + +rule S3_BUCKET_POLICY_NO_WILDCARD_ACTION when %s3_bucket_policy_no_wildcard_action !empty { + let violations = %s3_bucket_policy_no_wildcard_action[ + some Properties.PolicyDocument.Statement[*] { + some Action[*] in ["*", /^[a-zA-Z0-9]*:\*$/] + Effect == "Allow" + } + ] + %violations empty + << + Violation: S3 Bucket policy should not allow * action. + Fix: Specify explicit actions in the S3 BucketPolicy + >> +} diff --git a/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_principal.guard b/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_principal.guard new file mode 100644 index 0000000..ac5e43b --- /dev/null +++ b/rules/aws/amazon_s3/s3_bucket_policy_no_wildcard_principal.guard @@ -0,0 +1,51 @@ +# +##################################### +## AWS Solutions ## +##################################### +# Rule Identifier: +# S3_BUCKET_POLICY_NO_WILDCARD_PRINCIPAL +# +# Description: +# S3 Bucket policy should not allow * principal +# +# Reports on: +# AWS::S3::BucketPolicy +# +# Evaluates: +# AWS CloudFormation +# +# Rule Parameters: +# NA +# +# CFN_NAG Rule Id: +# F16 +# +# Scenarios: +# a) SKIP: when there is no S3 BucketPolicy resource present +# b) PASS: when no S3 BucketPolicy resources have open Principal +# c) FAIL: when any S3 resources has Principal "*" +# d) SKIP: when metada has rule suppression for S3_BUCKET_POLICY_NO_WILDCARD_PRINCIPAL + +# +# Select all S3 BucketPolicy resources from incoming template (payload) +# +let s3_bucket_policy_no_wildcard_principal = Resources.*[ Type == 'AWS::S3::BucketPolicy' + Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress.*.id != "F16" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "S3_BUCKET_POLICY_NO_WILDCARD_PRINCIPAL" +] + +rule S3_BUCKET_POLICY_NO_WILDCARD_PRINCIPAL when %s3_bucket_policy_no_wildcard_principal !empty { + let violations = %s3_bucket_policy_no_wildcard_principal[ + some Properties.PolicyDocument.Statement[*] { + Principal == "*" + Effect == "Allow" + } + ] + %violations empty + << + Violation: S3 Bucket policy should not allow * principal + Fix: Specify explicit principals in the S3 BucketPolicy + >> +} diff --git a/rules/aws/amazon_s3/s3_bucket_public_read_acl.guard b/rules/aws/amazon_s3/s3_bucket_public_read_acl.guard new file mode 100644 index 0000000..d00e787 --- /dev/null +++ b/rules/aws/amazon_s3/s3_bucket_public_read_acl.guard @@ -0,0 +1,48 @@ +# +##################################### +## AWS Solutions ## +##################################### +# Rule Identifier: +# S3_BUCKET_PUBLIC_READ_ACL +# +# Description: +# Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly readable via the public ACL +# +# Reports on: +# AWS::S3::Bucket +# +# Evaluates: +# AWS CloudFormation +# +# Rule Parameters: +# NA +# +# CFN_NAG Rule Id: +# W31 +# +# Scenarios: +# a) SKIP: when there are no S3 resource present +# b) PASS: when no S3 resources have PublicRead ACL applied at the bucket level +# c) FAIL: when any S3 resources has PublicRead ACL +# d) SKIP: when metadata has rule suppression for S3_BUCKET_PUBLIC_READ_ACL + +# +# Select all S3 resources from incoming template (payload) +# +let s3_bucket_public_read_acl = Resources.*[ Type == 'AWS::S3::Bucket' + Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress.*.id != "W31" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "S3_BUCKET_PUBLIC_READ_ACL" +] + +rule S3_BUCKET_PUBLIC_READ_ACL when %s3_bucket_public_read_acl !empty { + let violations = %s3_bucket_public_read_acl[ + Properties.AccessControl == 'PublicRead' + ] + %violations empty + << + Violation: S3 Bucket should not have the PublicRead ALC. + Fix: Allow Read access only to authorized, authenticated users. + >> +} diff --git a/rules/aws/amazon_s3/s3_bucket_public_rw_acl.guard b/rules/aws/amazon_s3/s3_bucket_public_rw_acl.guard new file mode 100644 index 0000000..de41090 --- /dev/null +++ b/rules/aws/amazon_s3/s3_bucket_public_rw_acl.guard @@ -0,0 +1,45 @@ +# +##################################### +## AWS Solutions ## +##################################### +# Rule Identifier: +# S3_BUCKET_NO_PUBLIC_RW_ACL +# +# Description: +# Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly readable via the public ACL +# +# Reports on: +# AWS::S3::Bucket +# +# Evaluates: +# AWS CloudFormation +# +# Rule Parameters: +# NA +# +# CFN_NAG Rule Id: +# F14 +# +# Scenarios: +# a) SKIP: when there are no S3 resource present +# b) PASS: when no S3 resources have PublicReadWrite ACL applied at the bucket level +# c) FAIL: when any S3 resources has PublicReadWrite ACL +# d) SKIP: when metada has rule suppression for S3_BUCKET_NO_PUBLIC_RW_ACL + +# +# Select all S3 resources from incoming template (payload) +# +let s3_bucket_public_rw_acl = Resources.*[ Type == 'AWS::S3::Bucket' + Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress.*.id != "F14" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "S3_BUCKET_NO_PUBLIC_RW_ACL" +] + +rule S3_BUCKET_NO_PUBLIC_RW_ACL when %s3_bucket_public_rw_acl !empty { + %s3_bucket_public_rw_acl.Properties.AccessControl != 'PublicReadWrite' + << + Violation: S3 Bucket should not have the PublicReadWrite ACL. + Fix: Allow ReadWrite access only to authorized, authenticated users. + >> +} diff --git a/rules/aws/amazon_s3/s3_bucket_server_side_encryption_enabled.guard b/rules/aws/amazon_s3/s3_bucket_server_side_encryption_enabled.guard index 31612e3..65ba684 100644 --- a/rules/aws/amazon_s3/s3_bucket_server_side_encryption_enabled.guard +++ b/rules/aws/amazon_s3/s3_bucket_server_side_encryption_enabled.guard @@ -29,6 +29,8 @@ # let s3_buckets_server_side_encryption = Resources.*[ Type == 'AWS::S3::Bucket' + Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress.*.id != "W41" Metadata.guard.SuppressedRules not exists or Metadata.guard.SuppressedRules.* != "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" ] diff --git a/rules/aws/amazon_s3/s3_bucketpolicy_no_allow_plus_notprincipal.guard b/rules/aws/amazon_s3/s3_bucketpolicy_no_allow_plus_notprincipal.guard new file mode 100644 index 0000000..bd0fec3 --- /dev/null +++ b/rules/aws/amazon_s3/s3_bucketpolicy_no_allow_plus_notprincipal.guard @@ -0,0 +1,54 @@ +# +##################################### +## AWS Solutions ## +##################################### +# Rule Identifier: +# S3_BUCKETPOLICY_NO_ALLOW_PLUS_NOTPRINCIPAL +# +# Description: +# Checks that Amazon S3 BucketPolicies do not use Effect:Allow with NotPrincipal +# +# Reports on: +# AWS::S3::BucketPolicy +# +# Evaluates: +# AWS CloudFormation +# +# Rule Parameters: +# NA +# +# CFN_NAG Rule Id: +# F9 +# +# Documentation: +# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html +# +# Scenarios: +# a) SKIP: when there are no S3 BucketPolicies present +# b) PASS: when all S3 BucketPolicies do not Allow with NotPrincipal +# c) FAIL: when any S3 BucketPolicies PolicyDocument statement has both Effect: Allow and NotPrincipal +# d) SKIP: when metada has rule suppression for S3_BUCKETPOLICY_NO_ALLOW_PLUS_NOTPRINCIPAL or CFN_NAG F9 + +# +# Select all S3 BucketPolicy resources from incoming template (payload) +# +let aws_s3_bucketpolicy_resources = Resources.*[ Type == 'AWS::S3::BucketPolicy' + Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress.*.id != "F9" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "S3_BUCKETPOLICY_NO_ALLOW_PLUS_NOTPRINCIPAL" +] + +rule S3_BUCKETPOLICY_NO_ALLOW_PLUS_NOTPRINCIPAL when %aws_s3_bucketpolicy_resources !empty { + let violations = %aws_s3_bucketpolicy_resources[ + some Properties.PolicyDocument.Statement[*] { + Effect == "Allow" + NotPrincipal exists + } + ] + %violations empty + << + Violation: S3 Bucket policy should not allow Allow+NotPrincipal + Fix: Remove policy statements that match {"Effect": "Allow", "NotPrincipal": ... } + >> +} \ No newline at end of file diff --git a/rules/aws/amazon_s3/tests/s3_bucket_logging_enabled_tests.yml b/rules/aws/amazon_s3/tests/s3_bucket_logging_enabled_tests.yml index cf698f3..b4efb6c 100644 --- a/rules/aws/amazon_s3/tests/s3_bucket_logging_enabled_tests.yml +++ b/rules/aws/amazon_s3/tests/s3_bucket_logging_enabled_tests.yml @@ -56,3 +56,19 @@ expectations: rules: S3_BUCKET_LOGGING_ENABLED: SKIP + +- name: S3 Bucket with Logging Configuration missing with suppression, SKIP + input: + Resources: + ExampleS3: + Type: AWS::S3::Bucket + Metadata: + cfn_nag: + rules_to_suppress: + - id: W35 + reason: Suppressed for a very good reason + Properties: + BucketName: my-bucket + expectations: + rules: + S3_BUCKET_LOGGING_ENABLED: SKIP diff --git a/rules/aws/amazon_s3/tests/s3_bucket_policy_no_allow_plus_not_action_tests.yml b/rules/aws/amazon_s3/tests/s3_bucket_policy_no_allow_plus_not_action_tests.yml new file mode 100644 index 0000000..cb3a895 --- /dev/null +++ b/rules/aws/amazon_s3/tests/s3_bucket_policy_no_allow_plus_not_action_tests.yml @@ -0,0 +1,129 @@ +### +# S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION tests +### +--- +- name: Empty + input: {} + expectations: + rules: + S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: SKIP + +- name: No resources + input: + Resources: {} + expectations: + rules: + S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: SKIP + +- name: S3 BucketPolicy PolicyDocument with Effect:Deny and NotAction + input: + Resources: + ExampleResource: + Type: "AWS::S3::BucketPolicy" + Properties: + Bucket: foo-bar-baz + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Deny + NotAction: + AWS: + - "arn:aws:iam::444455556666:user/Bob" + - "arn:aws:iam::444455556666:root" + expectations: + rules: + S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: PASS + +- name: S3 BucketPolicy PolicyDocument with Effect:Allow and NotAction + input: + Resources: + ExampleResource: + Type: "AWS::S3::BucketPolicy" + Properties: + Bucket: foo-bar-baz + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + NotAction: + AWS: + - "arn:aws:iam::444455556666:user/Bob" + - "arn:aws:iam::444455556666:root" + expectations: + rules: + S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: FAIL + + +- name: S3 BucketPolicy PolicyDocument with Effect:Allow, but rule suppressed + input: + Resources: + ExampleResource: + Type: "AWS::S3::BucketPolicy" + Properties: + Bucket: foo-bar-baz + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + NotAction: + AWS: + - "arn:aws:iam::444455556666:user/Bob" + - "arn:aws:iam::444455556666:root" + Metadata: + guard: + SuppressedRules: + - S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: Suppressed to test suppression works and skips this test + expectations: + rules: + S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: SKIP + +- name: S3 BucketPolicy PolicyDocument with Effect:Allow, but rule suppressed - CFN_NAG + input: + Resources: + ExampleResource: + Type: "AWS::S3::BucketPolicy" + Properties: + Bucket: foo-bar-baz + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + NotAction: + AWS: + - "arn:aws:iam::444455556666:user/Bob" + - "arn:aws:iam::444455556666:root" + Metadata: + cfn_nag: + rules_to_suppress: + - id: W20 + reason: Suppressed to test suppression works and skips this test + expectations: + rules: + S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: SKIP + +- name: S3 BucketPolicy PolicyDocument with Effect:Allow, but rule suppressed - BOTH + input: + Resources: + ExampleResource: + Type: "AWS::S3::BucketPolicy" + Properties: + Buket: foo-bar-baz + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + NotAction: + AWS: + - "arn:aws:iam::444455556666:user/Bob" + - "arn:aws:iam::444455556666:root" + Metadata: + cfn_nag: + rules_to_suppress: + - id: W20 + reason: Suppressed to test suppression works and skips this test + guard: + SuppressedRules: + - S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: Suppressed to test suppression works and skips this test + expectations: + rules: + S3_BUCKET_POLICY_NO_ALLOW_PLUS_NOT_ACTION: SKIP diff --git a/rules/aws/amazon_s3/tests/s3_bucket_policy_no_wildcard_action_tests.yml b/rules/aws/amazon_s3/tests/s3_bucket_policy_no_wildcard_action_tests.yml new file mode 100644 index 0000000..77ce98b --- /dev/null +++ b/rules/aws/amazon_s3/tests/s3_bucket_policy_no_wildcard_action_tests.yml @@ -0,0 +1,227 @@ +### +# S3_BUCKET_POLICY_NO_WILDCARD_ACTION tests +### +--- +- name: Empty, SKIP + input: {} + expectations: + rules: + S3_BUCKET_POLICY_NO_WILDCARD_ACTION: SKIP + +- name: No resources, SKIP + input: + Resources: {} + expectations: + rules: + S3_BUCKET_POLICY_NO_WILDCARD_ACTION: SKIP + +- name: S3 BucketPolicy w/ no global permissions, PASS + input: + Resources: + SampleBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Version: 2012-10-17 + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref DOC-EXAMPLE-BUCKET + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + expectations: + rules: + S3_BUCKET_POLICY_NO_WILDCARD_ACTION: PASS + +- name: S3 BucketPolicy w/ Action "*", FAIL + input: + Resources: + SampleBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Version: 2012-10-17 + Statement: + - Action: "*" + Effect: Allow + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref DOC-EXAMPLE-BUCKET + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + expectations: + rules: + S3_BUCKET_POLICY_NO_WILDCARD_ACTION: FAIL + +- name: S3 BucketPolicy w/ Action "*", Effect Deny, PASS + input: + Resources: + SampleBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Version: 2012-10-17 + Statement: + - Action: "*" + Effect: Deny + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref DOC-EXAMPLE-BUCKET + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + expectations: + rules: + S3_BUCKET_POLICY_NO_WILDCARD_ACTION: PASS + +- name: S3 BucketPolicy w/ Action "