Checkmarx
S3 Bucket Policy Accepts HTTP Requests False Positive
I am unable to pass my KICS scan. I fail with this result (note I have removed some sensitive info from this output):
.0MO.
OMMMx
;NMX;
... ... ....
WMMMd cWMMM0. KMMMO ;xKWMMMMNOc. ,xXMMMMMWXkc.
WMMMd .0MMMN: KMMMO :XMMMMMMMMMMMWl xMMMMMWMMMMMMl
WMMMd lWMMMO. KMMMO xMMMMKc...'lXMk ,MMMMx .;dXx
WMMMd.0MMMX; KMMMO cMMMMd ' 'MMMMNl'
WMMMNWMMMMl KMMMO 0MMMN oMMMMMMMXkl.
WMMMMMMMMMMo KMMMO 0MMMX .ckKWMMMMMM0.
WMMMMWokMMMMk KMMMO oMMMMc . .:OMMMM0
WMMMK. dMMMM0. KMMMO KMMMMx' ,kNc :WOc. .NMMMX
WMMMd cWMMMX. KMMMO kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd ,NMMMN, KMMMO 'xNMMMMMMMNx, .l0WMMMMMMMWk,
xkkk: ,kkkkx okkkl ;xKXKx; ;dOKKkc
Scanning with Keeping Infrastructure as Code Secure v1.5.10
Files scanned: 26
Parsed files: 26
Queries loaded: 48
Queries failed to execute: 0
------------------------------------
Description: S3 Bucket policy should not accept HTTP Requests
Platform: Terraform
[2]: terraform/s3.tf:159
158: bucket = aws_s3_bucket.common.id
159: policy = data.aws_iam_policy_document.common_policy.json
160: }
Results Summary:
HIGH: 0
MEDIUM: 1
LOW: 0
INFO: 0
TOTAL: 1
Results saved to file kics-scan-report.json
Scan duration: 9.29071451s
*********************************
🕵️ FINDINGS
*********************************
🚨 MEDIUM (1):
[4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9] S3 Bucket Policy Accepts HTTP Requests
[FAILURE] 🚨 CIS MEDIUM or higher findings found.
Here's the relevant Terraform...
resource "aws_s3_bucket" "common" {
bucket = "name" # 63 char limit
acl = "private"
force_destroy = true
}
resource "aws_s3_bucket_policy" "https_common" {
bucket = aws_s3_bucket.common.id
policy = data.aws_iam_policy_document.common_policy.json
}
data "aws_iam_policy_document" "common_policy" {
statement {
sid = "https"
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:*"
]
resources = [
aws_s3_bucket.common.arn,
"${aws_s3_bucket.common.arn}/*"
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [
"false"
]
}
}
}
Expected Behavior
I expect to not find the MEDIUM vulnerability.
Actual Behavior
I do find the MEDIUM vulnerability.
- Version: 1.5.10
- Platform: Terraform
- Sub-Platform: AWS
I've followed the advice in aws docs. But, perhaps I am not translating it to Terraform correctly. Or, maybe there is still an issue with the query.
Thanks in advance for any help you can provide.
Hi @dalenewman, hope you are doing great! I have checked the behavior of the Security Query in question and it is indeed a false positive. At the moment your code sample is failing in the parsing process due to missing targeted resources in the resource array situated inside the policy statement.
resources = [
aws_s3_bucket.common.arn,
"${aws_s3_bucket.common.arn}/*"
]
The current behavior is expected due to the use of the hcldec golang package that decodes HashiCorp Configuration Language.
Could you please test, or provide the code, with the missing targeted resources to ensure that the errors persist or not?
👍 , this is incorrectly reported as a vulnerability, where as it should not be.
I have following S3 bucket policy, but it's still reported as S3 Bucket Policy Accepts HTTP requests.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireSecureTransport",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::bucket-test-xxxx/*",
"arn:aws:s3:::bucket-test-xxxx"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
👍 , this is incorrectly reported.
Hi @abdusahin! Can you please provide more information regarding your statement?