[Bug Fix] state/s3 - Ownership controls & public access block config (#…

…700)
widdix · Aug 22, 2023 · 4e85dd5 · 4e85dd5
1 parent ff8369f
commit 4e85dd5
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 6 deletions.
diff --git a/state/s3.yaml b/state/s3.yaml
@@ -156,8 +156,9 @@ Conditions:
   HasPartitionUsGov: !Equals [!Ref 'AWS::Partition', 'aws-us-gov']
   HasLambdaFunctionArn: !Not [!Equals [!Ref LambdaFunctionArn, '']]
   HasLambdaFunctionFilterPrefix: !Not [!Equals [!Ref LambdaFunctionFilterPrefix, '']]
-  HasPublicAccessBlock: !Not [!Or [!Condition HasPublicReadAccess, !Condition HasPublicWriteAccess]]
+  HasBlockPublicAccess: !Not [!Or [!Condition HasPublicReadAccess, !Condition HasPublicWriteAccess]]
   HasPermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundary, '']]
+  HasBucketOwnerPreferred: !Or [!Condition HasCloudFrontAccessLogWrite, !Condition HasS3AccessLogWrite, !Not [!Condition HasBlockPublicAccess]]
 Resources:
   Bucket: # cannot be deleted with data
     Type: 'AWS::S3::Bucket'
@@ -182,8 +183,8 @@ Resources:
         - !If [HasLambdaFunctionArn, {Event: !Ref LambdaFunctionEvent, Function: !Ref LambdaFunctionArn, Filter: !If [HasLambdaFunctionFilterPrefix, {S3Key: {Rules: [{Name: prefix, Value: !Ref LambdaFunctionFilterPrefix}]}}, !Ref 'AWS::NoValue']}, !Ref 'AWS::NoValue']
         QueueConfigurations:
         - !If [HasS3VirusScan, {Event: 's3:ObjectCreated:*', Queue: {'Fn::ImportValue': !Sub '${ParentS3VirusScanStack}-ScanQueueArn'}}, !Ref 'AWS::NoValue']
-      OwnershipControls: !If [HasCloudFrontAccessLogWrite, {Rules: [{ObjectOwnership: BucketOwnerPreferred}]}, !Ref 'AWS::NoValue']
-      PublicAccessBlockConfiguration: !If [HasPublicAccessBlock, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, !Ref 'AWS::NoValue'] # AWS Foundational Security Best Practices v1.0.0 S3.8
+      OwnershipControls: !If [HasBucketOwnerPreferred, {Rules: [{ObjectOwnership: BucketOwnerPreferred}]}, {Rules: [{ObjectOwnership: BucketOwnerEnforced}]}]
+      PublicAccessBlockConfiguration: !If [HasBlockPublicAccess, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, {BlockPublicAcls: true, BlockPublicPolicy: false, IgnorePublicAcls: true, RestrictPublicBuckets: false}] # AWS Foundational Security Best Practices v1.0.0 S3.8
       VersioningConfiguration: !If [HasVersioning, {Status: Enabled}, !If [HadVersioning, {Status: Suspended}, !Ref 'AWS::NoValue']]
       BucketEncryption:
         ServerSideEncryptionConfiguration:

diff --git a/test/src/test/java/de/widdix/awscftemplates/state/TestS3.java b/test/src/test/java/de/widdix/awscftemplates/state/TestS3.java
@@ -1,21 +1,104 @@
 package de.widdix.awscftemplates.state;
 
+import com.amazonaws.services.cloudformation.model.Parameter;
 import de.widdix.awscftemplates.ACloudFormationTest;
 import de.widdix.awscftemplates.Context;
 import org.junit.Test;
 
 public class TestS3 extends ACloudFormationTest {
 
-    @Test
-    public void test() {
+    private void test(final String access) {
         final Context context = new Context();
         final String stackName = "s3-" + this.random8String();
         try {
-            this.createStack(context, stackName, "state/s3.yaml");
+            this.createStack(context, stackName, "state/s3.yaml",
+                    new Parameter().withParameterKey("Access").withParameterValue(access));
             // TODO how can we check if this stack works?
         } finally {
             this.deleteStack(context, stackName);
         }
     }
 
+    @Test
+    public void testPrivate() {
+        this.test("Private");
+    }
+
+    @Test
+    public void testPublicRead() {
+        this.test("PublicRead");
+    }
+
+    @Test
+    public void testPublicWrite() {
+        this.test("PublicWrite");
+    }
+
+    @Test
+    public void testPublicReadAndWrite() {
+        this.test("PublicReadAndWrite");
+    }
+
+    @Test
+    public void testCloudFrontRead() {
+        this.test("CloudFrontRead");
+    }
+
+    @Test
+    public void testCloudFrontAccessLogWrite() {
+        this.test("CloudFrontAccessLogWrite");
+    }
+
+    @Test
+    public void testElbAccessLogWrite() {
+        this.test("ElbAccessLogWrite");
+    }
+
+    @Test
+    public void testS3AccessLogWrite() {
+        this.test("S3AccessLogWrite");
+    }
+
+    @Test
+    public void testConfigWrite() {
+        this.test("ConfigWrite");
+    }
+
+    @Test
+    public void testCloudTrailWrite() {
+        this.test("CloudTrailWrite");
+    }
+
+    @Test
+    public void testVpcEndpointRead() {
+        final Context context = new Context();
+        final String vpcStackName = "vpc-" + this.random8String();
+        final String vpcEndpointStackName = "vpc-endpoint-" + this.random8String();
+        final String stackName = "s3-" + this.random8String();
+        try {
+            this.createStack(context, vpcStackName, "vpc/vpc-2azs.yaml");
+            try {
+                this.createStack(context, vpcEndpointStackName, "vpc/vpc-endpoint-s3.yaml",
+                        new Parameter().withParameterKey("ParentVPCStack").withParameterValue(vpcStackName));
+                try {
+                    this.createStack(context, stackName, "state/s3.yaml",
+                            new Parameter().withParameterKey("ParentVpcEndpointStack").withParameterValue(vpcEndpointStackName),
+                            new Parameter().withParameterKey("Access").withParameterValue("VpcEndpointRead"));
+                    // TODO how can we check if this stack works?
+                } finally {
+                    this.deleteStack(context, stackName);
+                }
+            } finally {
+                this.deleteStack(context, vpcEndpointStackName);
+            }
+        } finally {
+            this.deleteStack(context, vpcStackName);
+        }
+    }
+
+    @Test
+    public void testFlowLogWrite() {
+        this.test("FlowLogWrite");
+    }
+
 }