fix check extra 764

(cherry picked from commit 0db690ad5fa26c0157f6f40ea651495bdd9e9715)
2026-02-10 14:55:00 +00:00 · 2020-01-29 12:51:36 +02:00
parent 24780b4caa
commit 029c330ed1
1 changed files with 20 additions and 16 deletions
--- a/checks/check_extra764
+++ b/checks/check_extra764
@@ -24,25 +24,29 @@ extra764(){

      # get bucket policy
      $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_STP_POLICY_FILE 2>&1
-      if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then
-        textFail "Access Denied Trying to Get Bucket Policy for $bucket"
-        rm -f $TEMP_STP_POLICY_FILE
-        continue
-      fi
-      if [[ $(grep NoSuchBucketPolicy $TEMP_STP_POLICY_FILE) ]]; then
-        textFail "No bucket policy for $bucket"
-        rm -f $TEMP_STP_POLICY_FILE
-        continue
-      fi
+      cat $TEMP_STP_POLICY_FILE
+      cat $bucket
+#      if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then
+#        textFail "Access Denied Trying to Get Bucket Policy for $bucket"
+#        rm -f $TEMP_STP_POLICY_FILE
+#        continue
+#      fi
+#      if [[ $(grep NoSuchBucketPolicy $TEMP_STP_POLICY_FILE) ]]; then
+#        textFail "No bucket policy for $bucket"
+#        rm -f $TEMP_STP_POLICY_FILE
+#        continue
+#      fi

      # https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
-      CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}" '.Statement[]|select(((.Principal|type == "string") and .Principal == "*") and .Action=="s3:*" and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "false")')
-      if [[ $CHECK_BUCKET_STP_POLICY_PRESENT ]]; then
-        textPass "Bucket $bucket has S3 bucket policy to deny requests over insecure transport"
-      else
-        textFail "Bucket $bucket allows requests over insecure transport"
+      # checking if $TEMP_STP_POLICY_FILE is a valid json before converting it to json with jq
+      if jq -e . >/dev/null 2>&1 <<< "$TEMP_STP_POLICY_FILE"; then
+        CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}" '.Statement[]|select(((.Principal|type == "string") and .Principal == "*") and .Action=="s3:*" and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "false")')
+        if [[ $CHECK_BUCKET_STP_POLICY_PRESENT ]]; then
+          textPass "Bucket $bucket has S3 bucket policy to deny requests over insecure transport"
+        else
+          textFail "Bucket $bucket allows requests over insecure transport"
+        fi
      fi
-
      rm -fr $TEMP_STP_POLICY_FILE
    done