search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.8k stars 1.54k forks source link

Add a new s3 check to verify if objects inside the bucket are public #3463

Open Fennerr opened 8 months ago

Fennerr commented 8 months ago

New feature motivation

The s3_bucket_public_access checks for public access at the bucket level, but objects inside of it might be public

Solution Proposed

Its not feasible to check every object in the bucket. My proposal is to use a function that will select a user-defined (via config options) number of random objects in the bucket, and check if they are public. What I am seeing on my current assessment is that there are buckets that arnt public, but every object in the buckets are public, so this check would catch this type of misconfig.

Risk is mitigated (when compared to a full-blown public bucket) as you cant simply list the objects in the bucket, as the bucket is not publicly accessible.

Here is some pseduo-code that could be modified and used

import boto3
import random

def list_and_randomly_select_s3_objects(bucket_name, number_of_objects=3):
    # Initialize a boto3 client
    s3 = boto3.client('s3')

    # Retrieve the list of objects in the bucket
    try:
        response = s3.list_objects_v2(Bucket=bucket_name)
        objects = response.get('Contents', [])

        # Check if the bucket is empty
        if not objects:
            print("The bucket is empty.")
            return []

        # Extract object keys
        object_keys = [obj['Key'] for obj in objects]

        # Randomly select the user-defined number of objects, default is 3
        selected_keys = random.sample(object_keys, min(len(object_keys), number_of_objects))

        print(f"Randomly selected object keys: {selected_keys}")
        return selected_keys
    except Exception as e:
        print(f"An error occurred: {e}")
        return []

# Example usage
bucket_name = 'your-bucket-name'
selected_objects = list_and_randomly_select_s3_objects(bucket_name, 3)  # You can change 3 to any number you prefer

Describe alternatives you've considered

None

Additional context

No response

Fennerr commented 8 months ago

I imagine that the "list_and_randomly_select_s3_objects" method would be implemented on the s3_client, and then used in the check

ChaitanyaYeole02 commented 3 months ago

@jfagoagas I am interested work on this issue. Can you please assign it to me?

jfagoagas commented 3 months ago

Hello @ChaitanyaYeole02, for sure that you can work on this. I think first we'd need to:

What do you think? If we do this analysis first we can get to a better and quicker solution. It'd be great if this analysis is first shared and discussed within this issue since it could help / attract other users and also provide more visibility about the current status.

abant07 commented 3 months ago

Hey @jfagoagas @ChaitanyaYeole02 is this something I can work on, if you haven't already started working on it.

Thanks!

ChaitanyaYeole02 commented 3 months ago

Hello @abant07 , I am working on this issue already.