AWS S3 Bucket Existence when working on Bucket Policies

[43976989]

Describe the issue Scenario: I want to ensure that all S3 buckets in our code base have bucket policies. It looks like this is directly possible with Checkov thanks to the graph framework, buit it's unclear how. AWS::S3::BucketPolicy is the Cfn resource to work with buckets - if there's no bucket policy this is entirely absent from a Cfn template though - for example:

{
    "Resources": {
        "S3Bucket": {
            "Type": "AWS::S3::Bucket",
            "DeletionPolicy": "Retain",
            "Properties": {
                "BucketName": "DOC-EXAMPLE-BUCKET"
            }
        }
    }
}

At the same time the resource AWS::S3::Bucket doesn't have any data on if a bucket policy exists or not, or what it might contain, and there's no way I can see to map from Bucket to BucketPolicy (or vice-versa).

From reading it appears as though this is something that can be mapped through the Checkov graph, but documentation is unclear on how to do something like this, and I'm not having any luck in testing.

Any guidance here would be awesome, thanks!

Desktop (please complete the following information):

• OS: AL2
• Checkov Version [e.g. 22]: 2.3.198

Additional context

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html

[gruebel]

hey @43976989 thanks for reaching out.

here is an example

metadata:
  name: "Ensure every bucket has a bucket policy"
  id: "CKV2_CUSTOM_1"
  category: "GENERAL_SECURITY"
definition:
  and:
    - cond_type: filter
      attribute: resource_type
      operator: within
      value:
        - AWS::S3::Bucket
    - cond_type: connection
      resource_types:
        - AWS::S3::Bucket
      connected_resource_types:
        - AWS::S3::BucketPolicy
      operator: exists

[43976989]

Thanks! It's worth noting for anyone else who finds this that this only works if the Bucket Policy template has a reference to bucket, like so:

"BucketPolicy": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
        "Bucket": { "Ref": "Bucket" },

Without that it failed in testing no matter what combo we used.

@gruebel am I right that there's currently no way to do this directly in Python? I'm basing that partly on testing, and partly on documentation - the Python Custom Policies page states "Python) support checking the state of a resource’s attributes", while for YAML it's "YAML support checking a resource’s connection state and the use of complex AND/OR logic".

[ferdzcruz]

I have the same difficulties. The checking only runs on bucket policy configuration. That if there are no policies to check, the creation of a bucket will get PASSED.

[gruebel]

hey @43976989 didn't see you message, but you are right on the example code and about Python policies not supporting connections between other resources.

hey @ferdzcruz not sure what you mean, if you don't attach a bucket policy and use the mentioned policy, then it will fail.

[ferdzcruz]

@gruebel thanks for checking. I am trying to create a custom policy that will ensure a bucket has a policy attached. for ex:

resource "aws_s3_bucket", "sample_bucket" { bucket = "sample-bucket" }

This should get FAILED.

[43976989]

@ferdzcruz you can't do it in Python at the moment - that's what my prior comment is referring to. It needs the YAML logic check, like so (pseudo code as I don't have a reference handy at the moment for the actual conditions):

and:
  - type: filter
    attribute: resource
    value: 
      - AWS::S3::Bucket
   - type: connection
     operand: exists
     resource:
      - AWS::S3::Bucket
     connected_resource:
     - AWS::S3::BucketPolicy

See https://www.checkov.io/3.Custom%20Policies/YAML%20Custom%20Policies.html - there's a bit on Connection State Blocks, which is what you want.