Open dbbc96 opened 2 months ago
Thank you for sharing your feedback on this issue, it does appear that Checkov does not have a Policy to check for this currently. Please feel free to create a Custom Check and share the information, you can also contribute your custom check for future consideration.
Describe the issue I don't see any check that is verifying that an explicit deny is added to bucket policy of S3 to prevent http connections.
Examples This is a sample policy that AWS is looking to see to comply with AWS Config/SecurityHub.
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] }
Additional context if there was another rule that covers that then please let me know. Off hand i didn't see any rule for that.