Glacier Vault access policy is public and not restricted to specific services or principals

Description

It is generally a best practice to restrict access to Amazon S3 Glacier vaults to only the specific services or principals that require access. This can help to reduce the risk of unauthorized access to the data stored in your vaults and protect against potential data breaches.

Code Example

resource "aws_glacier_vault" "my_archive1" {
  ...
  access_policy = <<EOF
{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Sid": "add-read-only-perm",
          "Principal": "*",
       +  "Effect": "Deny",
          "Action": [
             "glacier:InitiateJob",
             "glacier:GetJobOutput"
          ],
          "Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
       }
    ]
    }
}

Remediation

Terraform

Resource: aws_glacier_vault
Arguments: Statement

Rule Details

Field	Value
ID	IAC-0216
Severity	MEDIUM
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV_AWS_167

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Glacier Vault access policy is public and not restricted to specific services or principals

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Glacier Vault access policy is public and not restricted to specific services or principals ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Glacier Vault access policy is public and not restricted to specific services or principals

Description

Code Example

Remediation

Rule Details

References