prowler icon indicating copy to clipboard operation
prowler copied to clipboard

Published 20 hours ago verified publisher icon prowler-cloud

Add s3_bucket_level_public_access_block check

Open addefisher opened this issue 2 years ago • 4 comments

Is your feature request related to a problem? Please describe. Prowler already has a s3_account_level_public_access_block check. In the majority of cases, it is preferable to rely on AWS account level BPA settings and use this check to validate them, when attempting to enforce framework compliance or simply prevent over-exposed S3 buckets.

However, in some cases, and AWS account may have a fixed number of buckets which are intentionally public for legitimate reasons (for example, hosting static assets or publishing CloudFormation templates). In these cases, it is not feasible to use either account level BPA settings or the s3_account_level_public_access_block check. Instead, bucket level BPA settings must be used with the buckets in the account which are not meant to be public.

Describe the solution you'd like Add a check named s3_bucket_level_public_access_block, which can be used to validate that bucket level BPA settings in accounts which cannot rely on account level BPA settings.

Describe alternatives you've considered Suppressing the check entirely for accounts which cannot use account level BPAs. This is a sub-optimal solution as it results in visibility gaps for the non-public buckets in the account.

Additional context The CIS AWS Foundations 1.5 benchmark 2.1.5 does not mandate account level BPAs, it only requires that some sort of BPA is applied to all buckets in an AWS account.

addefisher avatar Feb 15 '23 21:02 addefisher

Hi @addefisher, thank you for reaching us out! Can you take a look to the check s3_bucket_public_access? I think this check can apply to the CIS AWS Foundations 1.5 benchmark 2.1.5.

sergargar avatar Feb 16 '23 13:02 sergargar

@sergargar CIS AWS Foundations 1.5 benchmark 2.1.5 specifies that BPA settings should be configured on an account or bucket level. However, based on my understanding of s3_bucket_public_access, this check will be marked as passing for buckets which have neither such setting configured, as long as the bucket does not have a public ACL or bucket policy.

addefisher avatar Feb 21 '23 19:02 addefisher

I think a reduced version of the s3_bucket_public_access check would be sufficient

addefisher avatar Feb 21 '23 19:02 addefisher

I agree, I came across this need yesterday actually. Having a new check that only does step 2 in the s3_bucket_public_access check would be great: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py#L22

Then there will be a check for:

  1. Account-level Block Public Access settings (CIS 1.5 benchmark)
  2. Bucket-level Block Public Access settings (CIS 1.5 benchmark)
  3. Public access check which looks at several settings (general check)

acknosyn avatar Feb 21 '23 20:02 acknosyn