turbot/aws_perimeter

Control: S3 bucket ACLs should prohibit public write access

Description

This control checks if S3 bucket ACLs allow public write access to objects in the bucket.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.s3_bucket_acl_prohibit_public_write_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.s3_bucket_acl_prohibit_public_write_access --share

Steampipe Tables

SQL

with data as (
select
distinct name
from
aws_s3_bucket,
jsonb_array_elements(acl -> 'Grants') as grants
where
grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers'
and (
grants ->> 'Permission' = 'FULL_CONTROL'
or grants ->> 'Permission' = 'WRITE_ACP'
)
)
select
b.arn as resource,
case
when d.name is null then 'ok'
else 'alarm'
end status,
case
when d.name is null then b.title || ' not publicly writable.'
else b.title || ' publicly writable.'
end reason
, b.region, b.account_id
from
aws_s3_bucket as b
left join data as d on b.name = d.name;

Tags