Cost & Compliance S3 Rule Fixes

Published 28 May 2021


Stax has updated a series of rules detecting publicly open S3 buckets to improve the logic around checking for permissions.

Previously, the given rules would require explicit matches of a policy with either the action of s3:GetObject or s3:PutObject, meaning policies which allowed s3:*, or an array of actions, wouldn't be considered correctly for the purposes of compliance.

This potentially resulted in false negatives for the affected rules, whereby a bucket wouldn't be considered to be publicly open when it had a directly attached policy, and a previously-invalid policy. This does not affect reporting for buckets where public access block was enabled, or where global grants were given.

The list of affected rules is as follows:

  • S3 allows action to any principal in Organization Rules
  • S3 Buckets should not be Publicly Open for Writes in Organization Rules
  • S3 Buckets should not be Publicly Open for Reads in Organization Rules
  • S3 Buckets should not be Publicly Open for Writes in S3 Best Practices, versions 1.0 and 1.1
  • S3 Buckets should not be Publicly Open for Reads in S3 Best Practices, versions 1.0 and 1.1

Below is an example policy that would previously incorrectly pass these rules, but now will fail appropriately:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToMyBucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::hello-world-this-is-a-bucket/*",
        }
    ]
}

If you see previously existing buckets now showing as noncompliant, it is possible that they were previously ignored by this edge case. For any questions around this change, or if you need assistance understand how the change applies to your buckets, please raise a support case.


Back to changelog