aws_s3_bucket
Use the aws_s3_bucket
InSpec audit resource to test properties of a single AWS bucket.
Syntax
An aws_s3_bucket
resource block declares a bucket by name, and then lists tests to be performed.
describe aws_s3_bucket(bucket_name: 'test_bucket') do
it { should exist }
it { should_not be_public }
end
describe aws_s3_bucket('test_bucket') do
it { should exist }
end
Parameters
bucket_name (required)
This resource accepts a single parameter, the S3 Bucket Name which uniquely identifies the bucket.
This can be passed either as a string or as a bucket_name: 'value'
key-value entry in a hash.
See also the AWS documentation on S3 Buckets.
Properties
Property | Description |
---|---|
region | The region of the bucket. Region is overridden based on the location returned from S3 |
bucket_acl | An array of AWS Grants detailing permission grants on the bucket. |
bucket_policy | The IAM policy document controlling access to the bucket. |
tags | An hash with each key-value pair corresponding to a tag associated with the entity |
Examples
Test the bucket-level ACL
describe aws_s3_bucket('test_bucket') do
its('bucket_acl.count') { should eq 1 }
end
Check if a bucket has a bucket policy
describe aws_s3_bucket('test_bucket') do
its('bucket_policy') { should be_empty }
end
Check if a bucket appears to be exposed to the public
describe aws_s3_bucket('test_bucket') do
it { should_not be_public }
end
Check if the correct region is set
describe aws_s3_bucket('test_bucket') do
its('region') { should eq 'us-east-1' }
end
Check bucket’s ACL for correct grants
bucket_acl = aws_s3_bucket('my-bucket').bucket_acl
# Look for grants to "AllUsers" (that is, the public)
all_users_grants = bucket_acl.select do |g|
g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
end
# Look for grants to "AuthenticatedUsers" (that is, any authenticated AWS user - nearly public)
auth_grants = bucket_acl.select do |g|
g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
end
Test all buckets
aws_s3_buckets.bucket_names.each do |bucket_name|
describe aws_s3_bucket(bucket_name) do
it { should have_default_encryption_enabled }
end
end
Test buckets in a specific region
aws_s3_buckets.bucket_names.each do |bucket_name|
if aws_s3_bucket(bucket_name: bucket_name).region == region
describe aws_s3_bucket(bucket_name) do
it { should have_default_encryption_enabled }
end
end
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.
be_public
The be_public
matcher tests if the bucket has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure bucket if any of the following conditions are met:
- A bucket ACL grant exists for the ‘AllUsers’ group
- A bucket ACL grant exists for the ‘AuthenticatedUsers’ group
- A bucket policy has an effect ‘Allow’ and principal ‘*’
Note: This resource does not detect insecure object ACLs.
it { should_not be_public }
have_access_logging_enabled
The have_access_logging_enabled
matcher tests if access logging is enabled for the s3 bucket.
it { should have_access_logging_enabled }
have_default_encryption_enabled
The have_default_encryption_enabled
matcher tests if default encryption is enabled for the s3 bucket.
it { should have_default_encryption_enabled }
have_versioning_enabled
The have_versioning_enabled
matcher tests if versioning is enabled for the s3 bucket.
it { should haveversioningenabled }
AWS Permissions
Your Principal will need the s3:GetBucketAcl
, s3:GetBucketLocation
, s3:GetBucketLogging
, s3:GetBucketPolicy
, and s3:GetEncryptionConfiguration
actions set to allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon S3.