- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: terraform-aws/aws-s3-no-principal
Language: Terraform
Severity: Warning
Category: Security
This rule pertains to the specification of principals in the policy of S3 buckets in AWS. The principal is a crucial aspect of any AWS policy as it defines who is allowed to access the resource, in this case, the S3 bucket. It is important because specifying a broad principal such as ‘*’ opens the bucket to access from any AWS account, which can be a serious security risk.
Non-compliance with this rule can lead to unauthorized access to your S3 buckets and potential data breaches. You should always specify a principal that is as narrow as possible to limit access to only those entities that absolutely need it.
To adhere to this rule, ensure that you specify a specific AWS Amazon Resource Name (ARN) instead of using a wildcard (’*’). This way, you grant access only to the specified AWS account or user. For instance, instead of Principal = { AWS = "*" }
, use Principal = { AWS = ["arn:aws:iam::something:user"] }
. This helps you maintain the security of your AWS resources while ensuring that only authorized entities have access.
resource "aws_s3_bucket_policy" "mypolicy" {
bucket = aws_s3_bucket.mybucket.id
policy = jsonencode({
Id = "something"
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = "*"
}
Action = [
"s3:PutObject"
]
Resource: "${aws_s3_bucket.mybucket.arn}/*"
}
]
})
}
resource "aws_s3_bucket_policy" "mypolicy" {
bucket = aws_s3_bucket.mybucket.id
policy = jsonencode({
Id = "something"
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::something:user"
]
}
Action = [
"s3:PutObject"
]
Resource: "${aws_s3_bucket.mybucket.arn}/*"
}
]
})
}