giovanaa
(Giovana Sant Anna de Assis)
March 3, 2022, 5:06pm
1
I’m facing problem with Authorizing HTTP communications with S3 buckets is security-sensitive (CloudFormation static code analysis: Authorizing HTTP communications with S3 buckets is security-sensitive ) using version 9.3.0 of SonarQube.
Even though I’m using sonars suggestion to fix the code, it consists of the S3 Bucket error (Authorizing HTTP communications with S3 buckets)
Hello @giovanaa , welcome to the community and thanks for reporting the problem.
The policy in your code example looks correct. Could you attach a text version of the code example to this thread so that i can have a closer look?
Thank you.
giovanaa
(Giovana Sant Anna de Assis)
March 4, 2022, 4:41pm
5
Hey @Pierre-Loup_Tristant , thank you for your help and answer. I’m sending to you the whole cloudformation so you can look closer.
I couldn’t upload the file, so i’m it written here
WSTemplateFormatVersion: 2010-09-09
Description: AWS Cloudformation that creates a bucket to store Terraform tfstate files
Mappings:
General:
AppName:
Value: bucket-test
Resources:
TerraformBucket:
S3BucketLogs:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantloggingbucket"
AccessControl: LogDeliveryWrite
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
S3Bucket:
Type: 'AWS::S3::Bucket' # Compliant
Properties:
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: "bucket-test"
LoggingConfiguration:
DestinationBucketName: !Ref S3BucketLogs
LogFilePrefix: testing-logs
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: Private
Tags:
- Key: AppName
Value: !FindInMap [General, AppName, Value]
S3BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: "bucket-test"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*" # all principals should use https
Action: "*" # for any actions
Resource: arn:aws:s3:::bucket-test/* # for any resources
Condition:
Bool:
"aws:SecureTransport": false
Outputs:
BuckerArn:
Description: ARN of Terraform backend bucket.
Value: !Ref TerraformBucket
ganncamp
(G Ann Campbell)
March 4, 2022, 4:45pm
6
Hi @giovanaa ,
Can you copy/paste the file contents?
Ann
giovanaa
(Giovana Sant Anna de Assis)
March 4, 2022, 4:47pm
7
Sure, here it is Thank you!
AWSTemplateFormatVersion: 2010-09-09
Description: AWS Cloudformation that creates a bucket to store Terraform tfstate files
Mappings:
General:
AppName:
Value: bucket-test
Resources:
TerraformBucket:
S3BucketLogs:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantloggingbucket"
AccessControl: LogDeliveryWrite
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
S3Bucket:
Type: 'AWS::S3::Bucket' # Compliant
Properties:
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: "bucket-test"
LoggingConfiguration:
DestinationBucketName: !Ref S3BucketLogs
LogFilePrefix: testing-logs
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: Private
Tags:
- Key: AppName
Value: !FindInMap [General, AppName, Value]
S3BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: "bucket-test"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*" # all principals should use https
Action: "*" # for any actions
Resource: arn:aws:s3:::bucket-test/* # for any resources
Condition:
Bool:
"aws:SecureTransport": false
Outputs:
BuckerArn:
Description: ARN of Terraform backend bucket.
Value: !Ref TerraformBucket**emphasized text
1 Like
Hi @giovanaa ,
Apparently, the CloudFormation file is not correctly formatted here:
Type
and Property
should be defined inside the S3BucketPolicy
ressource. Here they are defined at the Resources
level.
No issue is raised when I fix the format.
AWSTemplateFormatVersion: 2010-09-09
Description: AWS Cloudformation that creates a bucket to store Terraform tfstate files
Mappings:
General:
AppName:
Value: bucket-test
Resources:
TerraformBucket:
S3BucketLogs:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantloggingbucket"
AccessControl: LogDeliveryWrite
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
S3Bucket:
Type: 'AWS::S3::Bucket' # Compliant
Properties:
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: "bucket-test"
LoggingConfiguration:
DestinationBucketName: !Ref S3BucketLogs
LogFilePrefix: testing-logs
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: Private
Tags:
- Key: AppName
Value: !FindInMap [General, AppName, Value]
S3BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: "bucket-test"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*" # all principals should use https
Action: "*" # for any actions
Resource: arn:aws:s3:::bucket-test/* # for any resources
Condition:
Bool:
"aws:SecureTransport": false
Outputs:
BuckerArn:
Description: ARN of Terraform backend bucket.
Value: !Ref TerraformBucket**emphasized text
giovanaa
(Giovana Sant Anna de Assis)
March 7, 2022, 1:37pm
9
@Pierre-Loup_Tristant I don’t have words to say thank you. It worked perfectly here.
Thank you again.
Regards,
Giovana.
1 Like
system
(system)
Closed
March 14, 2022, 1:37pm
10
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.