S3 bucket policy allows lockout all but root user
Description
This policy is designed to prevent configuration policies that could potentially lock out non-root users from accessing S3 buckets. This check is vital for maintaining access control in AWS environments and ensuring that bucket policies do not inadvertently create security risks by overly restrictive configurations.
Code Example
go
resource "aws_s3_bucket" "example" {
bucket = "example"
}
resource "aws_s3_bucket_policy" "example" {
bucket = aws_s3_bucket.example.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
- "Principal": "*",
+ "Principal": { "AWS":"some_arn" },
"Action": "s3:*",
+ "Resource": ["arn:aws:s3:::example/*", "arn:aws:s3:::example"]
}
]
}
POLICY
}Remediation
Terraform
- Resource: aws_s3_bucket, aws_s3_bucket_policy
- Argument: policy
Do not deny overly broad actions with a broad set of resources for all principals in an S3 policy.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0146 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_93 |