def test_rule_supports_filter_config(s3_bucket_cross_account_and_normal,
default_allow_all_config):
rule = S3CrossAccountTrustRule(default_allow_all_config)
result = rule.invoke(s3_bucket_cross_account_and_normal)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_s3_bucket_cross_account_from_aws_service(s3_bucket_cross_account_from_aws_service):
rule = S3CrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(s3_bucket_cross_account_from_aws_service)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 0
def test_s3_bucket_cross_account_from_aws_service(
s3_bucket_cross_account_from_aws_service):
rule = S3CrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(s3_bucket_cross_account_from_aws_service)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_s3_bucket_cross_account_and_normal_with_org_aws_account(s3_bucket_cross_account_and_normal):
rule = S3CrossAccountTrustRule(Config(aws_account_id="123456789", aws_principals=["666555444"]))
result = rule.invoke(s3_bucket_cross_account_and_normal)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "S3CrossAccountTrustRule"
assert (
result.failed_rules[0].reason == "S3BucketPolicyAccountAccess has forbidden cross-account policy allow with "
"arn:aws:iam::666555444:root for an S3 bucket."
)
def test_s3_bucket_cross_account(s3_bucket_cross_account):
rule = S3CrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(s3_bucket_cross_account)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "S3CrossAccountTrustRule"
assert (
result.failed_rules[0].reason == "S3BucketPolicyAccountAccess has forbidden cross-account policy allow with "
"arn:aws:iam::987654321:root for an S3 bucket."
)
def test_s3_bucket_cross_account_and_normal_with_org_aws_account(s3_bucket_cross_account_and_normal):
rule = S3CrossAccountTrustRule(Config(aws_account_id="123456789012", aws_principals=["666555444333"]))
result = rule.invoke(s3_bucket_cross_account_and_normal)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason="S3BucketPolicyAccountAccess has forbidden cross-account policy allow with arn:aws:iam::666555444333:root for an S3 bucket.",
risk_value=RuleRisk.MEDIUM,
rule="S3CrossAccountTrustRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"S3BucketPolicyAccountAccess"},
resource_types={"AWS::S3::BucketPolicy"},
)
],
)
def test_s3_bucket_cross_account(s3_bucket_cross_account):
rule = S3CrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(s3_bucket_cross_account)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"S3BucketPolicyAccountAccess has forbidden cross-account policy allow with arn:aws:iam::987654321:root for an S3 bucket.",
risk_value=RuleRisk.MEDIUM,
rule="S3CrossAccountTrustRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"S3BucketPolicyAccountAccess"},
)
],
)
def test_s3_bucket_cross_account_for_current_account(s3_bucket_cross_account):
rule = S3CrossAccountTrustRule(Config(aws_account_id="987654321"))
result = rule.invoke(s3_bucket_cross_account)
assert result.valid
def test_s3_bucket_cross_account_for_current_account(s3_bucket_cross_account):
rule = S3CrossAccountTrustRule(Config(aws_account_id="987654321"))
result = rule.invoke(s3_bucket_cross_account)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
