From 9055dbafe3eafcb3c49f625ba59805f42f4b6290 Mon Sep 17 00:00:00 2001 From: Chris Farris Date: Fri, 11 Aug 2023 19:46:24 -0400 Subject: [PATCH] fix(s3_bucket_policy_public_write_access): look at account and bucket-level public access block settings (#2715) --- .../s3_bucket_policy_public_write_access.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py b/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py index 550ac141..fab73e76 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py +++ b/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py @@ -1,5 +1,6 @@ from prowler.lib.check.models import Check, Check_Report_AWS from prowler.providers.aws.services.s3.s3_client import s3_client +from prowler.providers.aws.services.s3.s3control_client import s3control_client class s3_bucket_policy_public_write_access(Check): @@ -17,6 +18,22 @@ class s3_bucket_policy_public_write_access(Check): report.status_extended = ( f"S3 Bucket {bucket.name} does not have a bucket policy." ) + elif ( + s3control_client.account_public_access_block + and s3control_client.account_public_access_block.restrict_public_buckets + ): + report.status = "PASS" + report.status_extended = ( + "All S3 public access blocked at account level." + ) + elif ( + bucket.public_access_block + and bucket.public_access_block.restrict_public_buckets + ): + report.status = "PASS" + report.status_extended = ( + f"S3 public access blocked at bucket level for {bucket.name}." + ) else: report.status = "PASS" report.status_extended = f"S3 Bucket {bucket.name} does not allow public write access in the bucket policy."