search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.71k stars 1.07k forks source link

Missing check - S3 requiring SSL only connections #6156

Open dbbc96 opened 2 months ago

dbbc96 commented 2 months ago

Describe the issue I don't see any check that is verifying that an explicit deny is added to bucket policy of S3 to prevent http connections.

Examples This is a sample policy that AWS is looking to see to comply with AWS Config/SecurityHub.

{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] }

Additional context if there was another rule that covers that then please let me know. Off hand i didn't see any rule for that.

itariq20 commented 2 months ago

Thank you for sharing your feedback on this issue, it does appear that Checkov does not have a Policy to check for this currently. Please feel free to create a Custom Check and share the information, you can also contribute your custom check for future consideration.