Specify the principal for S3 buckets
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: terraform-aws/aws-s3-no-principal
Language: Terraform
Severity: Warning
Category: Security
Description
This rule pertains to the specification of principals in the policy of S3 buckets in AWS. The principal is a crucial aspect of any AWS policy as it defines who is allowed to access the resource, in this case, the S3 bucket. It is important because specifying a broad principal such as ‘*’ opens the bucket to access from any AWS account, which can be a serious security risk.
Non-compliance with this rule can lead to unauthorized access to your S3 buckets and potential data breaches. You should always specify a principal that is as narrow as possible to limit access to only those entities that absolutely need it.
To adhere to this rule, ensure that you specify a specific AWS Amazon Resource Name (ARN) instead of using a wildcard (’*’). This way, you grant access only to the specified AWS account or user. For instance, instead of Principal = { AWS = "*" }, use Principal = { AWS = ["arn:aws:iam::something:user"] }. This helps you maintain the security of your AWS resources while ensuring that only authorized entities have access.
Non-Compliant Code Examples
resource "aws_s3_bucket_policy" "mypolicy" {
bucket = aws_s3_bucket.mybucket.id
policy = jsonencode({
Id = "something"
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = "*"
}
Action = [
"s3:PutObject"
]
Resource: "${aws_s3_bucket.mybucket.arn}/*"
}
]
})
}
Compliant Code Examples
resource "aws_s3_bucket_policy" "mypolicy" {
bucket = aws_s3_bucket.mybucket.id
policy = jsonencode({
Id = "something"
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::something:user"
]
}
Action = [
"s3:PutObject"
]
Resource: "${aws_s3_bucket.mybucket.arn}/*"
}
]
})
}
