(amazon-s3): S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED False positive when the BlockPublicAcls has True #281
Description
What is the problem?
This rule S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED is looking for values in lower case true. If the template has below configuration with upper case True, cfn_guard results in a finding for this rule. It should ideally consider it as compliant with True.
Resource:
AccessLoggingBucket:
Type: AWS::S3::Bucket
Condition: CreateS3LoggingBucket
DependsOn: CheckRequirements
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
Finding:
s3_bucket_level_public_access_prohibited.guard/S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED FAIL
---
Evaluating data <redacted>.template against rules s3_bucket_level_public_access_prohibited.guard
Number of non-compliant resources 1
Resource = AccessLoggingBucket {
Type = AWS::S3::Bucket
Rule = S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED {
ALL {
Check = %s3_buckets_level_public_access_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicAcls EQUALS true {
ComparisonError {
Error = Check was not compliant as property value [Path=/Resources/AccessLoggingBucket/Properties/PublicAccessBlockConfiguration/BlockPublicAcls[L:1696,C:25] Value="True"] not equal to value [Path=[L:0,C:0] Value=true]. Error = [PathAwareValues are not comparable String, bool]
PropertyPath = /Resources/AccessLoggingBucket/Properties/PublicAccessBlockConfiguration/BlockPublicAcls[L:1696,C:25]
Operator = EQUAL
Value = "True"
ComparedWith = true
Code:
1694. - ServerSideEncryptionByDefault:
1695. SSEAlgorithm: AES256
1696. PublicAccessBlockConfiguration:
1697. BlockPublicAcls: True
1698. BlockPublicPolicy: True
1699. IgnorePublicAcls: True
}
}
Check = %s3_buckets_level_public_access_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicPolicy EQUALS true {
ComparisonError {
Error = Check was not compliant as property value [Path=/Resources/AccessLoggingBucket/Properties/PublicAccessBlockConfiguration/BlockPublicPolicy[L:1697,C:27] Value="True"] not equal to value [Path=[L:0,C:0] Value=true]. Error = [PathAwareValues are not comparable String, bool]
PropertyPath = /Resources/AccessLoggingBucket/Properties/PublicAccessBlockConfiguration/BlockPublicPolicy[L:1697,C:27]
Operator = EQUAL
Value = "True"
ComparedWith = true
Code:
1695. SSEAlgorithm: AES256
1696. PublicAccessBlockConfiguration:
1697. BlockPublicAcls: True
1698. BlockPublicPolicy: True
1699. IgnorePublicAcls: True
1700. RestrictPublicBuckets: True
}
}
Reproduction Steps
- Create a sample template file with below snippet
AccessLoggingBucket:
Type: AWS::S3::Bucket
Condition: CreateS3LoggingBucket
DependsOn: CheckRequirements
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
- cfn-guard validate -r "/home/zechak/aws-guard-rules-registry/rules/aws" -d /home/zechak/workplace/test.yaml
Output will have FAIL violations for all items under PublicAccessBlockConfiguration.
What did you expect to happen?
the rule should mark the finding compliant when the value of BlockPublicAcls set as true or True.
What actually happened?
S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED rule results a false positive.
CloudFormation Guard Version
cfn-guard 3.1.2
OS
MacOS
OS Version
No response
Other information
No response