Fix false negatives in the S3 invalid ACL rule #341
Conversation
| "authenticated-read": true, | ||
| "bucket-owner-read": true, | ||
| "bucket-owner-full-control": true, | ||
| "log-delivery-write": true, |
There was a problem hiding this comment.
why was this one removed though? It seems perfectly valid to me?
There was a problem hiding this comment.
In fact, all of the above are valid according to the same link you've referenced in the PR description (https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl), so I don't quite understand the change?
There was a problem hiding this comment.
Umm, what you are saying seems right. It's weird...
The list is generated from aws-sdk API definition, so It may be something wrong with how to use. I will investigate it.
There was a problem hiding this comment.
Looks like that block is way out of date - hasn't been updated in 5 years...
There was a problem hiding this comment.
There were commits to add new Canned ACLs since then (aws/aws-sdk-go@0922c23 for example), but that particular block was never updated :(
This PR replaces
aws_s3_bucket_invalid_aclrule with the auto-generated rule introduced in #274.As a result, it also fixes false negatives in the rule. The previous list included object ACLs such as
bucket-owner-read. These are invalid values for bucket ACL. See https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl