Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-6249

Authorizing HTTP communications with S3 buckets is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Message:
      Make sure authorizing HTTP requests is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • CIS:
      2.1.12
    • CWE:
      CWE-319
    • OWASP:
      A3, A6
    • PCI DSS:
      4.1

      Description

      By default, S3 buckets can be accessed through HTTP and HTTPs protocols.
      Only HTTPs prevents data breaches by encrypting network communications.

      Ask Yourself Whether

      • The S3 bucket stores sensitive information.
      • The infrastructure needs to comply to some regulations, like HIPAA or PCI DSS, and other standards.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      It's recommended to deny all HTTP requests:

      • for all objects (*) of the bucket
      • for all principals (*)
      • for all actions (*)

      See

        Attachments

        1.
        CloudFormation RSPEC-6250 Language-Specification Active Unassigned
        2.
        Terraform RSPEC-6251 Language-Specification Active Unassigned

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: