Issue: FAIL F16 - S3 Bucket policy should not allow * principal #622

HeikoMR · 2024-03-07T09:56:29Z

Hello,

we use Control Tower for Customizations (https://github.com/aws-solutions/aws-control-tower-customizations) and the deployment currently fails in the buildstep of the cfct-pipeline, because of cfn_nag duo to it recognizing it as a fail and not a warning.
It does not let us implement a bucket policy with "*" principal, even when additionally secured by using conditions.

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::/*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": ""
                }
            }
        }
    ]
}

FAIL F16 - S3 Bucket policy should not allow * principal

Thanks in advance
Heiko

EDIT: Will test the linter exclusion-workaround for the resource listed in your readme
EDIT2: Workaround works.

The text was updated successfully, but these errors were encountered:

HeikoMR changed the title ~~FAIL F16 - S3 Bucket policy should not allow * principal~~ Issue: FAIL F16 - S3 Bucket policy should not allow * principal Mar 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Issue: FAIL F16 - S3 Bucket policy should not allow * principal #622

Issue: FAIL F16 - S3 Bucket policy should not allow * principal #622

HeikoMR commented Mar 7, 2024 •

edited

Issue: FAIL F16 - S3 Bucket policy should not allow * principal #622

Issue: FAIL F16 - S3 Bucket policy should not allow * principal #622

Comments

HeikoMR commented Mar 7, 2024 • edited

HeikoMR commented Mar 7, 2024 •

edited