From 770dd07669288dffd516cb8e14c072675ba961f6 Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Tue, 22 Nov 2022 16:31:25 +0530 Subject: [PATCH] PLA-45823 - Updated remediation job to restrict unsecured HTTP requests for S3 Bucket --- .../aws_s3_bucket_policy_allow_https.py | 2 +- test/unit/test_aws_s3_bucket_policy_allow_https.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py b/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py index 4fe914a..e2d7663 100644 --- a/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py +++ b/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py @@ -103,7 +103,7 @@ def remediate(self, client, cloud_account_id, bucket_name): "Sid": "Restrict Non-https Requests", "Effect": "Deny", "Principal": "*", - "Action": "s3:GetObject", + "Action": "s3:*", "Resource": f"arn:aws:s3:::{bucket_name}/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}, } diff --git a/test/unit/test_aws_s3_bucket_policy_allow_https.py b/test/unit/test_aws_s3_bucket_policy_allow_https.py index b1604b9..53c467f 100644 --- a/test/unit/test_aws_s3_bucket_policy_allow_https.py +++ b/test/unit/test_aws_s3_bucket_policy_allow_https.py @@ -98,7 +98,7 @@ def test_remediate_success(self): "Sid": "Restrict Non-https Requests", "Effect": "Deny", "Principal": "*", - "Action": "s3:GetObject", + "Action": "s3:*", "Resource": "arn:aws:s3:::bucket_name/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}, },