search

stelligent / cfn_nag

Linting tool for CloudFormation templates
MIT License
1.26k stars 212 forks source link

Issue: FAIL F16 - S3 Bucket policy should not allow * principal #622

Open HeikoMR opened 8 months ago

HeikoMR commented 8 months ago

Hello,

we use Control Tower for Customizations (https://github.com/aws-solutions/aws-control-tower-customizations) and the deployment currently fails in the buildstep of the cfct-pipeline, because of cfn_nag duo to it recognizing it as a fail and not a warning. It does not let us implement a bucket policy with "*" principal, even when additionally secured by using conditions.

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::/*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": ""
                }
            }
        }
    ]
}

FAIL F16 - S3 Bucket policy should not allow * principal

Thanks in advance Heiko

EDIT: Will test the linter exclusion-workaround for the resource listed in your readme EDIT2: Workaround works.