Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a new s3 check to verify if objects inside the bucket are public #3463

Open
Fennerr opened this issue Feb 29, 2024 · 1 comment
Open

Add a new s3 check to verify if objects inside the bucket are public #3463

Fennerr opened this issue Feb 29, 2024 · 1 comment
Labels
feature-request New feature request for Prowler. provider/aws Issues/PRs related with the AWS provider status/needs-triage Issue pending triage

Comments

@Fennerr
Copy link
Contributor

Fennerr commented Feb 29, 2024

New feature motivation

The s3_bucket_public_access checks for public access at the bucket level, but objects inside of it might be public

Solution Proposed

Its not feasible to check every object in the bucket. My proposal is to use a function that will select a user-defined (via config options) number of random objects in the bucket, and check if they are public. What I am seeing on my current assessment is that there are buckets that arnt public, but every object in the buckets are public, so this check would catch this type of misconfig.

Risk is mitigated (when compared to a full-blown public bucket) as you cant simply list the objects in the bucket, as the bucket is not publicly accessible.

Here is some pseduo-code that could be modified and used

import boto3
import random

def list_and_randomly_select_s3_objects(bucket_name, number_of_objects=3):
    # Initialize a boto3 client
    s3 = boto3.client('s3')
    
    # Retrieve the list of objects in the bucket
    try:
        response = s3.list_objects_v2(Bucket=bucket_name)
        objects = response.get('Contents', [])
        
        # Check if the bucket is empty
        if not objects:
            print("The bucket is empty.")
            return []
        
        # Extract object keys
        object_keys = [obj['Key'] for obj in objects]
        
        # Randomly select the user-defined number of objects, default is 3
        selected_keys = random.sample(object_keys, min(len(object_keys), number_of_objects))
        
        print(f"Randomly selected object keys: {selected_keys}")
        return selected_keys
    except Exception as e:
        print(f"An error occurred: {e}")
        return []

# Example usage
bucket_name = 'your-bucket-name'
selected_objects = list_and_randomly_select_s3_objects(bucket_name, 3)  # You can change 3 to any number you prefer

Describe alternatives you've considered

None

Additional context

No response
@Fennerr Fennerr added feature-request New feature request for Prowler. status/needs-triage Issue pending triage labels Feb 29, 2024
@Fennerr
Copy link
Contributor Author

Fennerr commented Feb 29, 2024

I imagine that the "list_and_randomly_select_s3_objects" method would be implemented on the s3_client, and then used in the check

@jfagoagas jfagoagas added the provider/aws Issues/PRs related with the AWS provider label Feb 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request New feature request for Prowler. provider/aws Issues/PRs related with the AWS provider status/needs-triage Issue pending triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfagoagas @Fennerr