Skip to content

Commit

Permalink
feat(checks): improve S3 server logging access detection for AVD-AWS-…
Browse files Browse the repository at this point in the history
…0089

Signed-off-by: Nikita Pivkin <[email protected]>
  • Loading branch information
nikpivkin committed Sep 23, 2024
1 parent f375512 commit bff8451
Show file tree
Hide file tree
Showing 3 changed files with 110 additions and 13 deletions.
2 changes: 2 additions & 0 deletions avd_docs/aws/s3/AVD-AWS-0089/docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,6 @@ Ensures S3 bucket logging is enabled for S3 buckets
### Links
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html

- https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html


69 changes: 60 additions & 9 deletions checks/cloud/aws/s3/enable_logging.rego
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
# METADATA
# title: "S3 Bucket Logging"
# description: "Ensures S3 bucket logging is enabled for S3 buckets"
# title: S3 Bucket Logging
# description: Ensures S3 bucket logging is enabled for S3 buckets
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
# - https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
# custom:
# id: AVD-AWS-0089
# avd_id: AVD-AWS-0089
Expand All @@ -15,23 +16,73 @@
# short_code: enable-logging
# aliases:
# - s3-bucket-logging
# recommended_action: "Add a logging block to the resource to enable access logging"
# recommended_action: Add a logging block to the resource to enable access logging
# input:
# selector:
# - type: cloud
# subtypes:
# - service: s3
# provider: aws
# terraform:
# good_examples: "checks/cloud/aws/s3/enable_bucket_logging.tf.go"
# links: "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket"
# good_examples: checks/cloud/aws/s3/enable_bucket_logging.tf.go
# links:
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
# cloud_formation:
# good_examples: "checks/cloud/aws/s3/enable_bucket_logging.cf.go"
# good_examples: checks/cloud/aws/s3/enable_bucket_logging.cf.go
package builtin.aws.s3.aws0089

import future.keywords.if
import future.keywords.in

deny[res] {
bucket := input.aws.s3.buckets[_]
not bucket.acl.value == "log-delivery-write"
not bucket.logging.enabled.value
res := result.new("Bucket has logging disabled", bucket.logging.enabled)
not bucket_has_server_logging_access(bucket)
not is_logging_enabled(bucket)
res := result.new(
"Bucket has logging disabled",
object.get(bucket, ["logging", "enabled"], bucket)
)
}

is_logging_enabled(bucket) if bucket.logging.enabled.value

# Canned ACL
# The LogDelivery group gets WRITE and READ_ACP permissions on the bucket.
bucket_has_server_logging_access(bucket) if {
bucket.acl.value == "log-delivery-write"
}

bucket_has_server_logging_access(bucket) if {
some grant in bucket.grants
grantee_is_log_delivery_group(grant)
has_write_and_read_acp_permissions(grant.permissions)
}

# Grant permissions to the log delivery group by using a bucket AC
has_write_and_read_acp_permissions(permissions) if {
has_permission(permissions, "FULL_CONTROL")
}

has_write_and_read_acp_permissions(permissions) if {
has_permission(permissions, "WRITE")
has_permission(permissions, "READ_ACP")
}

has_permission(permissions, v) if {
some permission in permissions
permission.value == v
}

log_group := "http://acs.amazonaws.com/groups/s3/LogDelivery"

grantee_is_log_delivery_group(grant) if grant.grantee.uri.value == log_group

# Grant permissions to the logging service principal by using a bucket policy
bucket_has_server_logging_access(bucket) if {
policy := bucket.bucketpolicies[_]
doc := json.unmarshal(policy.document.value)
statement := doc.Statement[_]
statement.Effect == "Allow"
"s3:PutObject" in statement.Action
"logging.s3.amazonaws.com" in statement.Principal.Service
}
52 changes: 48 additions & 4 deletions checks/cloud/aws/s3/enable_logging_test.rego
Original file line number Diff line number Diff line change
@@ -1,27 +1,71 @@
package builtin.aws.s3.aws0089

test_detects_when_disabled {
test_deny_logging_disabled {
r := deny with input as {"aws": {"s3": {"buckets": [{"logging": {"enabled": {"value": false}}}]}}}
count(r) == 1
}

test_when_enabled {
test_allow_logging_enabled {
r := deny with input as {"aws": {"s3": {"buckets": [{"logging": {"enabled": {"value": true}}}]}}}
count(r) == 0
}

test_detects_when_disabled_but_acl_is_log_write {
test_allow_logging_disabled_but_bucket_has_server_logging_access_acl {
r := deny with input as {"aws": {"s3": {"buckets": [{
"logging": {"enabled": {"value": false}},
"acl": {"value": "log-delivery-write"},
}]}}}
count(r) == 0
}

test_detects_when_enabled_and_acl_is_not_log_write {
test_deny_logging_disabled_and_bucket_does_not_have_server_access_logging {
r := deny with input as {"aws": {"s3": {"buckets": [{
"logging": {"enabled": {"value": false}},
"acl": {"value": "private"},
}]}}}
count(r) == 1
}

test_allow_logging_disabled_but_bucket_has_server_logging_access_grant {
r := deny with input as {"aws": {"s3": {"buckets": [{
"logging": {"enabled": {"value": false}},
"acl": {"value": "log-delivery-write"},
"grants": [
{
"grantee": {
"id": {"value": "111122223333"},
"type": {"value": "CanonicalUser"},
},
"permissions": [{"value": "FULL_CONTROL"}],
},
{
"grantee": {
"uri": {"value": "http://acs.amazonaws.com/groups/s3/LogDelivery"},
"type": {"value": "GROUP"},
},
"permissions": [
{"value": "READ_ACP"},
{"value": "WRITE"},
],
},
],
}]}}}
count(r) == 0
}

test_allow_logging_disabled_but_bucket_has_server_logging_access_policy {
r := deny with input as {"aws": {"s3": {"buckets": [{
"logging": {"enabled": {"value": false}},
"bucketpolicies": [{"document": {"value": json.marshal({
"Version": "2012-10-17",
"Statement": [{
"Sid": "S3ServerAccessLogsPolicy",
"Effect": "Allow",
"Principal": {"Service": ["logging.s3.amazonaws.com"]},
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-DESTINATION-BUCKET-logs/*",
}],
})}}],
}]}}}
count(r) == 0
}

0 comments on commit bff8451

Please sign in to comment.