diff --git a/README.md b/README.md index 398ff2f..bd63ebb 100644 --- a/README.md +++ b/README.md @@ -157,6 +157,7 @@ The table below lists all the supported jobs with their links. | 44. | 5c8c26487a550e1fb6560c4a | RDS snapshot should restrict public access | [aws-rds-snapshot-remove-publicaccess](remediation_worker/jobs/aws_rds_snapshot_remove_publicaccess) | | 45. | 5c8c26567a550e1fb6560c5d | S3 bucket should not give full access to all authenticated users | [aws_s3_remove_fullaccess_authenticatedusers](remediation_worker/jobs/aws_s3_remove_fullaccess_authenticatedusers) | + ## Contributing The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq). All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. diff --git a/remediation_worker/jobs/aws_ec2_default_security_group_traffic/aws_ec2_default_security_group_traffic.py b/remediation_worker/jobs/aws_ec2_default_security_group_traffic/aws_ec2_default_security_group_traffic.py index a7f6ebf..73cf384 100644 --- a/remediation_worker/jobs/aws_ec2_default_security_group_traffic/aws_ec2_default_security_group_traffic.py +++ b/remediation_worker/jobs/aws_ec2_default_security_group_traffic/aws_ec2_default_security_group_traffic.py @@ -101,6 +101,7 @@ def remediate(self, client, security_group_id, region, cloud_account_id): except Exception as e: logging.error(f"{str(e)}") raise + return 0 def run(self, args): diff --git a/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py b/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py index 4fe914a..e2d7663 100644 --- a/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py +++ b/remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py @@ -103,7 +103,7 @@ def remediate(self, client, cloud_account_id, bucket_name): "Sid": "Restrict Non-https Requests", "Effect": "Deny", "Principal": "*", - "Action": "s3:GetObject", + "Action": "s3:*", "Resource": f"arn:aws:s3:::{bucket_name}/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}, } diff --git a/remediation_worker/jobs/ec2_close_port_9200_9300/ec2_close_port_9200_9300.py b/remediation_worker/jobs/ec2_close_port_9200_9300/ec2_close_port_9200_9300.py index a88fbe7..5160ae7 100644 --- a/remediation_worker/jobs/ec2_close_port_9200_9300/ec2_close_port_9200_9300.py +++ b/remediation_worker/jobs/ec2_close_port_9200_9300/ec2_close_port_9200_9300.py @@ -111,6 +111,7 @@ def remediate(self, client, instance_id): except Exception as e: logging.error(f"{str(e)}") raise + return 0 def run(self, args): diff --git a/test/unit/test_aws_s3_bucket_policy_allow_https.py b/test/unit/test_aws_s3_bucket_policy_allow_https.py index b1604b9..53c467f 100644 --- a/test/unit/test_aws_s3_bucket_policy_allow_https.py +++ b/test/unit/test_aws_s3_bucket_policy_allow_https.py @@ -98,7 +98,7 @@ def test_remediate_success(self): "Sid": "Restrict Non-https Requests", "Effect": "Deny", "Principal": "*", - "Action": "s3:GetObject", + "Action": "s3:*", "Resource": "arn:aws:s3:::bucket_name/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}, }, diff --git a/tox.ini b/tox.ini index 952a981..0f19e61 100644 --- a/tox.ini +++ b/tox.ini @@ -65,6 +65,7 @@ envlist = unit-aws_s3_remove_fullaccess_authenticatedusers + [testenv] passenv = # Prevent Python bytecode files from being created