From f5d0266cde070b5c5196e9500a95258a945ddaa5 Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com> Date: Mon, 5 Dec 2022 20:59:53 +0530 Subject: [PATCH] PLA-45823 - Updated remediation job to restrict unsecured HTTP requests for S3 Bucket (#131) --- .../aws_s3_bucket_policy_allow_https.py | 2 +- test/unit/test_aws_s3_bucket_policy_allow_https.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py b/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py index 4fe914a..e2d7663 100644 --- a/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py +++ b/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py @@ -103,7 +103,7 @@ def remediate(self, client, cloud_account_id, bucket_name): "Sid": "Restrict Non-https Requests", "Effect": "Deny", "Principal": "*", - "Action": "s3:GetObject", + "Action": "s3:*", "Resource": f"arn:aws:s3:::{bucket_name}/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}, } diff --git a/test/unit/test_aws_s3_bucket_policy_allow_https.py b/test/unit/test_aws_s3_bucket_policy_allow_https.py index b1604b9..53c467f 100644 --- a/test/unit/test_aws_s3_bucket_policy_allow_https.py +++ b/test/unit/test_aws_s3_bucket_policy_allow_https.py @@ -98,7 +98,7 @@ def test_remediate_success(self): "Sid": "Restrict Non-https Requests", "Effect": "Deny", "Principal": "*", - "Action": "s3:GetObject", + "Action": "s3:*", "Resource": "arn:aws:s3:::bucket_name/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}, },