bug: duplication in AWS foundational security controls for S3

[obormot]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Currently in cloudquery/plugins/source/aws/policies/foundational_security/s3.sql checks S3.1 and S3.8 refer to the same include file:

\set check_id 'S3.1'
\echo "Executing check S3.1"
\ir ../queries/s3/account_level_public_access_blocks.sql       <-- correct

\set check_id 'S3.2'
\echo "Executing check S3.2"
\ir ../queries/s3/publicly_readable_buckets.sql

[..skip..]

\set check_id 'S3.8'
\echo "Executing check S3.8"
\ir ../queries/s3/account_level_public_access_blocks.sql     <-- duplicate

Expected Behavior

According to https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html :

[S3.8] S3 Block Public Access setting should be enabled at the bucket-level

..so I believe the correct file to include should be s3/bucket_level_public_access_blocks.sql
ie. bucket instead of the (duplicated) account

CloudQuery (redacted) config

N/A

Steps To Reproduce

No response

CloudQuery (redacted) logs

N/A

CloudQuery version

(I actually don't know)

Additional Context

No response

Pull request (optional)

• I can submit a pull request

[github-actions]

Thanks for reporting this issue 👍
You can reach us via Discord too.
If you enjoy using this project, please consider starring it for support

[candiduslynx]

Hi @obormot!

I looked at the S3.8 spec as well as the query in question & you're totally right.
Seems like a typo did find its way into the policies, thanks for catching this!

#13065 should take care of this.

[obormot]

Thanks for the quick response.
Here is a thing to note: in my understanding, when the account level public access in S3 is blocked (ie. check S3.1 is a pass), then the bucket level public access policies (check S3.8) get overridden.
In my case cloudquery would populate the relevant columns in aws_s3_buckets table (block_public_acls, ignore_public_acls etc.) as nulls, and the bucket_level_public_access_blocks.sql would trigger.
This would be a false positive, since the check doesn't process for the account level override.

I guess this should be filed as a separate issue for bucket_level_public_access_blocks.sql. I'm just posting it here for the reviewers since merging the fix could result in many unexpected FP alerts for ppl running the foundational_security policy.

[candiduslynx]

@ronsh12 @jsonpr could please you take a look at this, too?

[jsonpr]

Hey @obormot - thanks for reporting this issue. We had a chat internally regarding your feedback.

I agree with your understanding - there's a hierarchy of evaluation of controls that beings with Block Public Access at the account level, then the bucket level, then access point levels. Thus to your point, if BPA is turned on at the account level, the bucket level BPA settings could be overridden by the account level blocks.

We wrote a blog post on Block Public Access earlier this year: https://www.cloudquery.io/blog/finding-enabled-s3-acls-and-disabled-s3-block-public-access.

Here's what we'll do:

• We will update the control for S3.8 (S3 Block Public Access setting should be enabled at the bucket-level) to point to the correct logic. Agreed that these updates could trigger more positives for customers running the query. We'd like these to be accurate and thanks for catching the duplicate controls.
• We try to keep our policies as close to the policy frameworks as possible. In this case, we believe that the Foundational Security Best Practices evaluates the controls separately as there's no overlapping mention in both of them. https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-8. Thus, to keep our checks in line with AWS, we'll evaluate them separately as multiple layers of security.

If you'd like to evaluate if the bucket contents are public or not - that could be a custom query that evaluates all settings for a bucket - including access point settings, bucket settings, account settings, ACLs, bucket policies, and more.

From AWS Documentation: S3 Block Public Access provides four settings. You can apply these settings in any combination to individual access points, buckets, or entire AWS accounts. If you apply a setting to an account, it applies to all buckets and access points that are owned by that account. Similarly, if you apply a setting to a bucket, it applies to all access points associated with that bucket.