Don't set S3 bucket ACLs (#355)

* aws.persistence.lambda-overwrite-code: Don't set a bucket ACL (closes #354) * Avoid setting built-in bucket ACLs
DataDog · May 10, 2023 · c70d758 · c70d758
1 parent 949778b
commit c70d758
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 7 deletions.
diff --git a/v2/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf b/v2/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf
@@ -30,7 +30,6 @@ locals {
 
 resource "aws_s3_bucket" "bucket" {
   bucket = "${local.resource_prefix}-${random_string.suffix.result}"
-  acl    = "private"
 }
 
 output "bucket_name" {

diff --git a/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf b/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf
@@ -50,7 +50,6 @@ resource "random_string" "suffix" {
 
 resource "aws_s3_bucket" "bucket" {
   bucket        = "${local.resource_prefix}-bucket-${random_string.suffix.result}"
-  acl           = "private"
   force_destroy = true
 }
 resource "aws_s3_bucket_object" "code" {

diff --git a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.tf b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.tf
@@ -52,11 +52,6 @@ resource "aws_s3_bucket" "bucket" {
   force_destroy = true
 }
 
-resource "aws_s3_bucket_acl" "bucket_acl" {
-  bucket = aws_s3_bucket.bucket.id
-  acl    = "private"
-}
-
 resource "aws_s3_object" "lambda_zip" {
   bucket         = aws_s3_bucket.bucket.id
   key            = "lambda.zip"