Add a new s3 check to verify if objects inside the bucket are public

[Fennerr]

New feature motivation

The s3_bucket_public_access checks for public access at the bucket level, but objects inside of it might be public

Solution Proposed

Its not feasible to check every object in the bucket. My proposal is to use a function that will select a user-defined (via config options) number of random objects in the bucket, and check if they are public. What I am seeing on my current assessment is that there are buckets that arnt public, but every object in the buckets are public, so this check would catch this type of misconfig.

Risk is mitigated (when compared to a full-blown public bucket) as you cant simply list the objects in the bucket, as the bucket is not publicly accessible.

Here is some pseduo-code that could be modified and used

import boto3
import random

def list_and_randomly_select_s3_objects(bucket_name, number_of_objects=3):
    # Initialize a boto3 client
    s3 = boto3.client('s3')
    
    # Retrieve the list of objects in the bucket
    try:
        response = s3.list_objects_v2(Bucket=bucket_name)
        objects = response.get('Contents', [])
        
        # Check if the bucket is empty
        if not objects:
            print("The bucket is empty.")
            return []
        
        # Extract object keys
        object_keys = [obj['Key'] for obj in objects]
        
        # Randomly select the user-defined number of objects, default is 3
        selected_keys = random.sample(object_keys, min(len(object_keys), number_of_objects))
        
        print(f"Randomly selected object keys: {selected_keys}")
        return selected_keys
    except Exception as e:
        print(f"An error occurred: {e}")
        return []

# Example usage
bucket_name = 'your-bucket-name'
selected_objects = list_and_randomly_select_s3_objects(bucket_name, 3)  # You can change 3 to any number you prefer

Describe alternatives you've considered

None

Additional context

No response

[Fennerr]

I imagine that the "list_and_randomly_select_s3_objects" method would be implemented on the s3_client, and then used in the check

[ChaitanyaYeole02]

@jfagoagas I am interested work on this issue. Can you please assign it to me?

[jfagoagas]

Hello @ChaitanyaYeole02, for sure that you can work on this. I think first we'd need to:

• Analyze what is happening.
• Get a list of affected checks if any
• Get a list of possible new checks if any
• See how can make a general solution, i.e.: having a common function to check that.

What do you think? If we do this analysis first we can get to a better and quicker solution. It'd be great if this analysis is first shared and discussed within this issue since it could help / attract other users and also provide more visibility about the current status.

[abant07]

Hey @jfagoagas @ChaitanyaYeole02 is this something I can work on, if you haven't already started working on it.

Thanks!

[ChaitanyaYeole02]

Hello @abant07 ,
I am working on this issue already.