import pytest from aws.s3.helpers import get_s3_resource_id from aws.s3.resources import s3_buckets, s3_buckets_website @pytest.mark.s3 @pytest.mark.parametrize( ["s3_bucket", "s3_bucket_website"], zip(s3_buckets(), s3_buckets_website()), ids=get_s3_resource_id, ) def test_s3_bucket_web_hosting_disabled(s3_bucket, s3_bucket_website): """ Disable hosting static site in the S3 bucket. """ assert not s3_bucket_website["IndexDocument"] assert not s3_bucket_website["ErrorDocument"] assert not s3_bucket_website["RedirectAllRequestsTo"]
import pytest from aws.s3.helpers import get_s3_resource_id from aws.s3.resources import s3_buckets, s3_buckets_logging @pytest.mark.s3 @pytest.mark.parametrize( ["s3_bucket", "s3_bucket_logging_enabled"], zip(s3_buckets(), s3_buckets_logging()), ids=get_s3_resource_id, ) def test_s3_bucket_logging_enabled(s3_bucket, s3_bucket_logging_enabled): """ Enable access logs for S3 buckets. """ assert s3_bucket_logging_enabled, "Logging not enabled for {0[Name]}".format( s3_bucket)
import pytest from aws.s3.helpers import get_s3_bucket_name_only from aws.s3.resources import s3_buckets, s3_buckets_cors_rules @pytest.mark.s3 @pytest.mark.parametrize( ["s3_bucket", "s3_bucket_cors_rules"], zip(s3_buckets(), s3_buckets_cors_rules()), ids=get_s3_bucket_name_only, ) def test_s3_bucket_cors_disabled(s3_bucket, s3_bucket_cors_rules): """ Disable sharing S3 bucket contents cross origin with CORS headers. http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html """ assert s3_bucket_cors_rules is None, "CORS enabled for {0[Name]}".format( s3_bucket)
import pytest from aws.s3.resources import ( s3_buckets, s3_buckets_versioning, ) @pytest.mark.s3 @pytest.mark.parametrize(['s3_bucket', 's3_bucket_versioning'], zip(s3_buckets(), s3_buckets_versioning()), ids=lambda bucket: bucket['Name']) def test_s3_bucket_versioning_enabled(s3_bucket, s3_bucket_versioning): """ Enable restoring every version of every object in the S3 bucket to easily recover data. http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html """ assert s3_bucket_versioning.get('Status', None) == 'Enabled'
import pytest from aws.s3.helpers import get_s3_resource_id from aws.s3.resources import s3_buckets, s3_bucket_lifecycle_configuration @pytest.mark.s3 @pytest.mark.parametrize( ["s3_bucket", "lifecycle_configuration"], zip(s3_buckets(), s3_bucket_lifecycle_configuration()), ids=get_s3_resource_id, ) def test_s3_bucket_has_life_cycle_policy(s3_bucket, lifecycle_configuration): """ Check a bucket has a life cycle policy. """ assert (None not in lifecycle_configuration ), f"{s3_bucket['Name']} has no life cycle policy."
import json import pytest from aws.s3.resources import s3_buckets, s3_buckets_policy STAR_ACTIONS = ["*", "s3:*", "s3:delete*", "s3:put*", "s3:get*", "s3:list*"] @pytest.mark.s3 @pytest.mark.parametrize( ["s3_bucket", "s3_bucket_policy"], zip(s3_buckets(), s3_buckets_policy()), ids=lambda bucket: bucket["Name"], ) def test_s3_bucket_does_not_grant_all_principals_all_actions( s3_bucket, s3_bucket_policy): """ Check policy does not allow all principals all actions on the S3 Bucket. Mitigations: * limit actions instead of using * or S3:* http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html * limit principals to specific IAMs http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html * add conditions http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html """ if not s3_bucket_policy: pytest.skip( "Bucket has no policy, which means it defaults to private.") # https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
from aws.s3.resources import s3_buckets, s3_buckets_acls AWS_PREDEFINED_GROUPS = [ # allow any AWS account to access the resource with a signed/authed request "http://acs.amazonaws.com/groups/global/AuthenticatedUsers", # allows anyone in the world access to the resource "http://acs.amazonaws.com/groups/global/AllUsers", ] @pytest.mark.s3 @pytest.mark.parametrize( ["s3_bucket", "s3_bucket_acl"], zip(s3_buckets(), s3_buckets_acls()), ids=lambda bucket: bucket["Name"], ) def test_s3_bucket_no_world_acl(s3_bucket, s3_bucket_acl): """ Check S3 bucket does not allow global predefined AWS groups access. http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html """ for grant in s3_bucket_acl["Grants"]: grantee = grant["Grantee"] if "URI" not in grantee: pytest.skip("S3 Bucket ACL does not use URI.") grantee_uri = grantee["URI"] assert not any(grantee_uri.startswith(group) for group in AWS_PREDEFINED_GROUPS)