Control: S3 bucket ACLs should prohibit public read access

Description

This control checks if S3 bucket ACLs allow public read access to objects in the bucket.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.s3_bucket_acl_prohibit_public_read_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.s3_bucket_acl_prohibit_public_read_access --share

Steampipe Tables

aws_s3_bucket

SQL

with data as (
  select
    distinct name
  from
    aws_s3_bucket,
    jsonb_array_elements(acl -> 'Grants') as grants
  where
    grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers'
    and (
      grants ->> 'Permission' = 'FULL_CONTROL'
      or grants ->> 'Permission' = 'READ_ACP'
    )
)
select
  b.arn as resource,
  case
    when d.name is null then 'ok'
    else 'alarm'
  end status,
  case
    when d.name is null then b.title || ' not publicly readable.'
    else b.title || ' publicly readable.'
  end reason,
  b.region,
  b.account_id
from
  aws_s3_bucket as b
  left join data as d on b.name = d.name;

Control: S3 bucket ACLs should prohibit public read access

Description

Usage

Steampipe Tables

SQL

Tags