You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The s3_bucket_public_access checks for public access at the bucket level, but objects inside of it might be public
Solution Proposed
Its not feasible to check every object in the bucket. My proposal is to use a function that will select a user-defined (via config options) number of random objects in the bucket, and check if they are public. What I am seeing on my current assessment is that there are buckets that arnt public, but every object in the buckets are public, so this check would catch this type of misconfig.
Risk is mitigated (when compared to a full-blown public bucket) as you cant simply list the objects in the bucket, as the bucket is not publicly accessible.
Here is some pseduo-code that could be modified and used
import boto3
import random
def list_and_randomly_select_s3_objects(bucket_name, number_of_objects=3):
# Initialize a boto3 client
s3 = boto3.client('s3')
# Retrieve the list of objects in the bucket
try:
response = s3.list_objects_v2(Bucket=bucket_name)
objects = response.get('Contents', [])
# Check if the bucket is empty
if not objects:
print("The bucket is empty.")
return []
# Extract object keys
object_keys = [obj['Key'] for obj in objects]
# Randomly select the user-defined number of objects, default is 3
selected_keys = random.sample(object_keys, min(len(object_keys), number_of_objects))
print(f"Randomly selected object keys: {selected_keys}")
return selected_keys
except Exception as e:
print(f"An error occurred: {e}")
return []
# Example usage
bucket_name = 'your-bucket-name'
selected_objects = list_and_randomly_select_s3_objects(bucket_name, 3) # You can change 3 to any number you prefer
Describe alternatives you've considered
None
Additional context
No response
The text was updated successfully, but these errors were encountered:
New feature motivation
The s3_bucket_public_access checks for public access at the bucket level, but objects inside of it might be public
Solution Proposed
Its not feasible to check every object in the bucket. My proposal is to use a function that will select a user-defined (via config options) number of random objects in the bucket, and check if they are public. What I am seeing on my current assessment is that there are buckets that arnt public, but every object in the buckets are public, so this check would catch this type of misconfig.
Risk is mitigated (when compared to a full-blown public bucket) as you cant simply list the objects in the bucket, as the bucket is not publicly accessible.
Here is some pseduo-code that could be modified and used
Describe alternatives you've considered
None
Additional context
No response
The text was updated successfully, but these errors were encountered: