Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(s3_bucket_level_public_access_block): new check #1953

Merged
merged 2 commits into from
Mar 2, 2023
Merged

feat(s3_bucket_level_public_access_block): new check #1953

merged 2 commits into from
Mar 2, 2023

Conversation

MrCloudSec
Copy link
Member

Description

Regarding #1916, add new check that complies with CIS control 2.1.5.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@MrCloudSec MrCloudSec requested review from a team, drewkerrigan and thejaywhy February 23, 2023 09:52
@MrCloudSec MrCloudSec linked an issue Feb 23, 2023 that may be closed by this pull request
Add s3_bucket_level_public_access_block check #1916
Closed
@MrCloudSec MrCloudSec requested a review from toniblyx February 23, 2023 09:52
@MrCloudSec MrCloudSec added the no-merge Please, DO NOT MERGE this PR. label Feb 23, 2023
@MrCloudSec MrCloudSec removed the no-merge Please, DO NOT MERGE this PR. label Mar 1, 2023
@n4ch04 n4ch04 merged commit d6c3c0c into master Mar 2, 2023
@n4ch04 n4ch04 deleted the 1916-add-s3_bucket_level_public_access_block-check branch March 2, 2023 09:18
addefisher
addefisher reviewed Mar 8, 2023
View reviewed changes
prowler/compliance/aws/cis_1.5_aws.json
@@ -533,7 +533,7 @@
"Id": "2.1.5",
"Description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'",
"Checks": [
"s3_account_level_public_access_blocks"
"s3_bucket_level_public_access_block"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I requested this check, I do not think it should be added to the CIS compliance file. Generally account level BPA settings are a better way to achieve CIS compliance. The s3_bucket_level_public_access_block check is extremely useful for edge cases (where an account has a legitimate need for a public bucket and a risk exception has been made), but the account level checks are a preferable approach for most environments / AWS accounts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addefisher addefisher addefisher left review comments

@n4ch04 n4ch04 n4ch04 approved these changes

@drewkerrigan drewkerrigan Awaiting requested review from drewkerrigan

@thejaywhy thejaywhy Awaiting requested review from thejaywhy

@toniblyx toniblyx Awaiting requested review from toniblyx

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add s3_bucket_level_public_access_block check
3 participants
@MrCloudSec @n4ch04 @addefisher