Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue: FAIL F16 - S3 Bucket policy should not allow * principal #622

Open
HeikoMR opened this issue Mar 7, 2024 · 0 comments
Open

Issue: FAIL F16 - S3 Bucket policy should not allow * principal #622

HeikoMR opened this issue Mar 7, 2024 · 0 comments

Comments

@HeikoMR
Copy link

HeikoMR commented Mar 7, 2024

Hello,

we use Control Tower for Customizations (https://github.com/aws-solutions/aws-control-tower-customizations) and the deployment currently fails in the buildstep of the cfct-pipeline, because of cfn_nag duo to it recognizing it as a fail and not a warning.
It does not let us implement a bucket policy with "*" principal, even when additionally secured by using conditions.

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::/*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": ""
                }
            }
        }
    ]
}

FAIL F16 - S3 Bucket policy should not allow * principal

Thanks in advance
Heiko

EDIT: Will test the linter exclusion-workaround for the resource listed in your readme
EDIT2: Workaround works.

@HeikoMR HeikoMR changed the title FAIL F16 - S3 Bucket policy should not allow * principal Issue: FAIL F16 - S3 Bucket policy should not allow * principal Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant