Deployment isue for ec2_ssrf ("AccessControlListNotSupported: The bucket does not allow ACLs" message)

RhinoSecurityLabs / cloudgoat

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

BSD 3-Clause "New" or "Revised" License

2.96k stars 617 forks source link

Deployment isue for ec2_ssrf ("AccessControlListNotSupported: The bucket does not allow ACLs" message) #188

Closed Anomia2 closed 1 year ago

Anomia2 commented 1 year ago

The error below is received when creating the scenarior for "ec2_ssrf".

╷ │ Error: error creating S3 bucket ACL for cg-secret-s3-bucket-ec2-ssrf-cgidf0w3an3ath: AccessControlListNotSupported: The bucket does not allow ACLs │ status code: 400, request id: [requestid], host id: [host id] │ │ with aws_s3_bucket_acl.secret-s3-bucket-acl, │ on s3.tf line 30, in resource "aws_s3_bucket_acl" "secret-s3-bucket-acl": │ 30: resource "aws_s3_bucket_acl" "secret-s3-bucket-acl" { │ ╵

[cloudgoat] Error while running terraform apply. exit code: 1 stdout: None stderr: None

tzahiman commented 1 year ago

With help from from the following stack overflow: https://stackoverflow.com/questions/76049290/error-accesscontrollistnotsupported-when-trying-to-create-a-bucket-acl-in-aws You need to add the following to the s3.tf file resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { bucket = aws_s3_bucket.cg-secret-s3-bucket.id rule { object_ownership = "ObjectWriter" } }

Floodeen commented 1 year ago

@tzahiman , your answer is missing one key item, linking the initial statement to the new statement. In order to do this, one has to add the depends_on statement in the existing resource statement.

depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership]

For completeness, here is a similar issue required for Cloud Breach S3 (note spacing is not retained in the posting)

resource "aws_s3_bucket_acl" "cardholder-data-bucket-acl" { bucket = aws_s3_bucket.cg-cardholder-data-bucket.id acl = "private" depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership] }

resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { bucket = aws_s3_bucket.cg-cardholder-data-bucket.id rule { object_ownership = "ObjectWriter" } }

Anomia2 commented 1 year ago

@Floodeen this worked. Thank you!

I have the edited code below in case anyone else needs it.

resource "aws_s3_bucket_acl" "secret-s3-bucket-acl" { bucket = aws_s3_bucket.cg-secret-s3-bucket.id acl = "private" depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership] }

resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { bucket = aws_s3_bucket.cg-secret-s3-bucket.id rule { object_ownership = "ObjectWriter" } }

maddsec commented 1 year ago

why isnt this added to master?

j0eblow commented 1 year ago

Hi all, thanks for bringing this to our attention. Please see this for an alternative fix and explanation.