aws_s3_bucket - be_public matcher providing false positives

[rmoles]

Describe the problem

Currently the AWS S3 bucket public? method is only checking the bucket policy and returning true or false based on this. https://github.com/inspec/inspec-aws/blob/master/libraries/aws_s3_bucket.rb#L47 It has been pointed out by @tmonk42 that the S3 bucket policy is overridden by the block public access setting.

Possible Solution

We could potentially make use of the AWS SDK get_public_access_block method. If this is set, we can ignore the bucket_policy. example output of get_public_access_block:

@aws.storage_client.get_public_access_block(bucket: @bucket_name)
=> #<struct Aws::S3::Types::GetPublicAccessBlockOutput
 public_access_block_configuration=
  #<struct Aws::S3::Types::PublicAccessBlockConfiguration
   block_public_acls=true,
   ignore_public_acls=true,
   block_public_policy=true,
   restrict_public_buckets=true>>

[tmonk42]

There are four possible status for a bucket: public/objects can be public/bucket and objects not public/only authorized users of this account.

It's worth noting that the CIS-AWS v1.2 specifically calls out "no access via acl or bucket policy".

Status "only authorized users" is shown when the bucket SETTING blocks public access, and the bucket POLICY allows public access. Reference reading: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access.html

[tmonk42]

We probably want to be able to test for both "public" and "bucket policy that allows public regardless of if that's overridden by settings" to allow for more fine grained tests and policies.

[tmonk42]

Turns out there is also an account level setting that will block public access for all buckets that overrides both "bucket settings" and "bucket acl/policy". Reference: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3Control/Client.html#get_public_access_block-instance_method