I’m facing problem with Authorizing HTTP communications with S3 buckets is security-sensitive (CloudFormation static code analysis: Authorizing HTTP communications with S3 buckets is security-sensitive) using version 9.3.0 of SonarQube.
Even though I’m using sonars suggestion to fix the code, it consists of the S3 Bucket error (Authorizing HTTP communications with S3 buckets)
Hello @giovanaa, welcome to the community and thanks for reporting the problem.
The policy in your code example looks correct. Could you attach a text version of the code example to this thread so that i can have a closer look?
Thank you.
Hey @Pierre-Loup_Tristant, thank you for your help and answer. I’m sending to you the whole cloudformation so you can look closer.
I couldn’t upload the file, so i’m it written here
WSTemplateFormatVersion: 2010-09-09
Description: AWS Cloudformation that creates a bucket to store Terraform tfstate files
Mappings:
General:
AppName:
Value: bucket-test
Resources:
TerraformBucket:
S3BucketLogs:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantloggingbucket"
AccessControl: LogDeliveryWrite
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
S3Bucket:
Type: 'AWS::S3::Bucket' # Compliant
Properties:
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: "bucket-test"
LoggingConfiguration:
DestinationBucketName: !Ref S3BucketLogs
LogFilePrefix: testing-logs
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: Private
Tags:
- Key: AppName
Value: !FindInMap [General, AppName, Value]
S3BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: "bucket-test"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*" # all principals should use https
Action: "*" # for any actions
Resource: arn:aws:s3:::bucket-test/* # for any resources
Condition:
Bool:
"aws:SecureTransport": false
Outputs:
BuckerArn:
Description: ARN of Terraform backend bucket.
Value: !Ref TerraformBucket
Sure, here it is 
Thank you!
AWSTemplateFormatVersion: 2010-09-09
Description: AWS Cloudformation that creates a bucket to store Terraform tfstate files
Mappings:
General:
AppName:
Value: bucket-test
Resources:
TerraformBucket:
S3BucketLogs:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantloggingbucket"
AccessControl: LogDeliveryWrite
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
S3Bucket:
Type: 'AWS::S3::Bucket' # Compliant
Properties:
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: "bucket-test"
LoggingConfiguration:
DestinationBucketName: !Ref S3BucketLogs
LogFilePrefix: testing-logs
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: Private
Tags:
- Key: AppName
Value: !FindInMap [General, AppName, Value]
S3BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: "bucket-test"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*" # all principals should use https
Action: "*" # for any actions
Resource: arn:aws:s3:::bucket-test/* # for any resources
Condition:
Bool:
"aws:SecureTransport": false
Outputs:
BuckerArn:
Description: ARN of Terraform backend bucket.
Value: !Ref TerraformBucket**emphasized text
Hi @giovanaa,
Apparently, the CloudFormation file is not correctly formatted here:
Type and Property should be defined inside the S3BucketPolicy ressource. Here they are defined at the Resources level.
No issue is raised when I fix the format.
AWSTemplateFormatVersion: 2010-09-09
Description: AWS Cloudformation that creates a bucket to store Terraform tfstate files
Mappings:
General:
AppName:
Value: bucket-test
Resources:
TerraformBucket:
S3BucketLogs:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantloggingbucket"
AccessControl: LogDeliveryWrite
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
S3Bucket:
Type: 'AWS::S3::Bucket' # Compliant
Properties:
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: "bucket-test"
LoggingConfiguration:
DestinationBucketName: !Ref S3BucketLogs
LogFilePrefix: testing-logs
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: Private
Tags:
- Key: AppName
Value: !FindInMap [General, AppName, Value]
S3BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: "bucket-test"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*" # all principals should use https
Action: "*" # for any actions
Resource: arn:aws:s3:::bucket-test/* # for any resources
Condition:
Bool:
"aws:SecureTransport": false
Outputs:
BuckerArn:
Description: ARN of Terraform backend bucket.
Value: !Ref TerraformBucket**emphasized text
@Pierre-Loup_Tristant I don’t have words to say thank you. It worked perfectly here.
Thank you again.
Regards,
Giovana.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.