ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #484 from bridgecrewio/bugfix/public_bucket_policy_check_for_conditions

Browse Source 
Add conditions check for extra771
This commit is contained in:
Toni de la Fuente
2020-02-19 18:08:02 +01:00
committed by GitHub
parent bf9ffc0485 5f3293af1e
commit 6213a7418c
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
checks/check_extra771
View File

@@ -24,7 +24,7 @@ extra771(){
if [[ $BUCKET_POLICY_STATEMENTS == *GetBucketPolicy* ]]; then
textInfo "Bucket policy does not exist for bucket $bucket"
else
BUCKET_POLICY_BAD_STATEMENTS=$(echo $BUCKET_POLICY_STATEMENTS | jq --arg arn "arn:aws:s3:::$bucket" 'fromjson | .Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and (.Action|startswith("s3:Put") or startswith("s3:*")))')
BUCKET_POLICY_BAD_STATEMENTS=$(echo $BUCKET_POLICY_STATEMENTS | jq --arg arn "arn:aws:s3:::$bucket" 'fromjson | .Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and (.Action|startswith("s3:Put") or startswith("s3:*")) and .Condition == null)')
if [[ $BUCKET_POLICY_BAD_STATEMENTS != "" ]]; then
textFail "Bucket $bucket allows public write: $BUCKET_POLICY_BAD_STATEMENTS"
else