kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

S3 Bucket Without Restriction Of Public Bucket Security Query False Positive Result

Open cxMiguelSilva opened this issue 2 years ago • 0 comments

Actual Behavior

S3 Bucket Without Restriction Of Public Bucket Security Query flagged a false positive in line 13, as by default, new buckets, access points and objects do not allow public access.

{
	"query_name": "S3 Bucket Without Restriction Of Public Bucket",
	"query_id": "1ec253ab-c220-4d63-b2de-5b40e0af9293",
	"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block",
	"severity": "HIGH",
	"platform": "Terraform",
	"cloud_provider": "AWS",
	"category": "Insecure Configurations",
	"description": "S3 bucket without restriction of public bucket",
	"description_id": "a6e86c32",
	"files": [
		{
			"file_name": "../../path/test.tf",
			"similarity_id": "3077235da4e24fdaa136c895be69213c27ccc60a3266001bbe440b07ac013f8d",
			"line": 13,
			"resource_type": "aws_s3_bucket_public_access_block",
			"resource_name": "example",
			"issue_type": "MissingAttribute",
			"search_key": "aws_s3_bucket_public_access_block[example].restrict_public_buckets",
			"search_line": 0,
			"search_value": "",
			"expected_value": "'restrict_public_buckets' is equal 'true'",
			"actual_value": "'restrict_public_buckets' is missing",
			"remediation": "restrict_public_buckets = true",
			"remediation_type": "addition"
		}
	]
},

Steps to Reproduce the Problem

(Command line arguments and flags used)

Run KICS Scan command docker run -v /path/to/folder:/path checkmarx/kics:v1.6.1 scan -p /path/sample.tf

Sample to reproduce the Issue:

resource "aws_s3_bucket" "mybucket" {
  bucket = "mybucket"
  acl = "public"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
      }
    }
  }
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls   = true
  block_public_policy = true
}

resource "aws_s3_bucket_policy" "b" {
  bucket = aws_s3_bucket.b.id

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "MYBUCKETPOLICY"
    Statement = [
      {
        Sid       = "IPAllow"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
          aws_s3_bucket.b.arn,
          "${aws_s3_bucket.b.arn}/*",
        ]
        Condition = {
          IpAddress = {
            "aws:SourceIp" = "8.8.8.8/32"
          }
        }
      },
    ]
  })
}

cxMiguelSilva avatar Oct 03 '22 14:10 cxMiguelSilva