logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure service configuration - Bucket - Aws

Need

Enabling secure service configuration for S3 buckets

Context

  1. Usage of Terraform for Infrastructure as Code (IaC)
  2. Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

Insecure Code Example

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket-name"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

The above Terraform code creates an S3 bucket on AWS with the name "bucket-name". The bucket is configured to be private, meaning only the AWS account that created the bucket and users that have been explicitly granted permissions can access it. However, the code is vulnerable due to the lack of versioning configuration. The S3 bucket versioning feature is not enabled. This feature allows you to preserve, retrieve, and restore every version of every object in your bucket. This is useful in protecting against both unintended user actions and application failures. Without versioning, if an object is deleted or overwritten, there's no way to recover the previous state. This could lead to data loss in case of accidental deletion or overwriting, or malicious actions from users. Therefore, this code is considered insecure as it does not enable the VersioningConfiguration resource for the S3 bucket.

Steps

  1. Enable versioning for the S3 bucket
  2. Update the 'aws_s3_bucket' resource configuration to include the 'versioning' block
  3. Set the 'status' attribute in the 'versioning' block to 'Enabled'

Secure Code Example

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket-name"
  acl    = "private"

  versioning {
    status = "Enabled"
  }

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

The updated code includes a `versioning` block within the `aws_s3_bucket` resource. This block is used to enable versioning for the S3 bucket. The `status` attribute within the `versioning` block is set to `Enabled`, which turns on versioning for the bucket. Versioning allows you to preserve, retrieve, and restore every version of every object in your Amazon S3 bucket. This makes it easier to recover from both unintended user actions and application failures. You can use versioning to preserve, retrieve, and restore every version of every object in your bucket. With versioning, you can easily recover from both unintended user actions and application failures.

References

  • 335 - Insecure service configuration - Bucket

    • Last updated

    2023/09/18