-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a new s3 check to verify if objects inside the bucket are public #3463
Comments
I imagine that the "list_and_randomly_select_s3_objects" method would be implemented on the s3_client, and then used in the check |
@jfagoagas I am interested work on this issue. Can you please assign it to me? |
Hello @ChaitanyaYeole02, for sure that you can work on this. I think first we'd need to:
What do you think? If we do this analysis first we can get to a better and quicker solution. It'd be great if this analysis is first shared and discussed within this issue since it could help / attract other users and also provide more visibility about the current status. |
Hey @jfagoagas @ChaitanyaYeole02 is this something I can work on, if you haven't already started working on it. Thanks! |
Hello @abant07 , |
New feature motivation
The s3_bucket_public_access checks for public access at the bucket level, but objects inside of it might be public
Solution Proposed
Its not feasible to check every object in the bucket. My proposal is to use a function that will select a user-defined (via config options) number of random objects in the bucket, and check if they are public. What I am seeing on my current assessment is that there are buckets that arnt public, but every object in the buckets are public, so this check would catch this type of misconfig.
Risk is mitigated (when compared to a full-blown public bucket) as you cant simply list the objects in the bucket, as the bucket is not publicly accessible.
Here is some pseduo-code that could be modified and used
Describe alternatives you've considered
None
Additional context
No response
The text was updated successfully, but these errors were encountered: