turbot/aws_perimeter
GitHub
Loading controls...

Control: S3 bucket ACLs should prohibit public read access

Description

This control checks if S3 bucket ACLs allow public read access to objects in the bucket.

Usage

Run the control in your terminal:

steampipe check aws_perimeter.control.s3_bucket_acl_prohibit_public_read_access

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share aws_perimeter.control.s3_bucket_acl_prohibit_public_read_access

Plugins & Tables

SQL

with data as (
select
distinct name
from
aws_s3_bucket,
jsonb_array_elements(acl -> 'Grants') as grants
where
grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers'
and (
grants ->> 'Permission' = 'FULL_CONTROL'
or grants ->> 'Permission' = 'READ_ACP'
)
)
select
b.arn as resource,
case
when d.name is null then 'ok'
else 'alarm'
end status,
case
when d.name is null then b.title || ' not publicly readable.'
else b.title || ' publicly readable.'
end reason,
b.region,
b.account_id
from
aws_s3_bucket as b
left join data as d on b.name = d.name;

Tags