policyuniverse & Bucket Sniping

[tweedge]

Howdy! I noticed that policyuniverse doesn't detect possible bucket sniping - i.e. when a bucket it not owned by the account you expect it to be, as S3 ARNs don't contain account information. statement21 in test_statement.py is a great example:

statement21 = dict(
    Effect="Allow",
    Principal="*",
    Action=["rds:*"],
    Resource="*",
    Condition={"StringEquals": {"AWS:SourceArn": "arn:aws:s3:::mybucket"}},
)

This would potentially allow an external party to access data if the mybucket bucket was deleted and then claimed by an external party, or if the account owner was using predictable bucket names (chris-bucket-us-west-1) and an external party claimed that bucket before they did, etc.

This would differ from policyuniverse's current understanding of what it means for something to be publicly exposed - extending from "this is definitely publicly exposed" to "this could be publicly exposed." I certainly understand if this isn't a change you'd be interested in adding because of that!

However if it is something you'd consider adding, I've tinkered around and found two solutions which could be implemented - one hides booleans here and there throughout statement.py, and adds a little evaluation logic to is_internet_accessible(). This is less readable (basically: flagging any use of unique conditions, principals, etc. since we're iterating through them anyway), but works well, and doesn't waste cycles. Another option would be to put this in its own function, duplicating some of the is_internet_accessible implementation at the cost of some waste (as this would cause a second loop through all conditions statements, principals, etc.), but is much more readable.

Let me know, happy to put a CR up for this, or happy without it 😁

[tweedge]

Ruminating, could also split this out into a possibly_internet_accessible() function? Food for thought :P

[scriptsrc]

Hey, When written, that logic was put into security monkey, which uses policy universe. PolicyUniverse doesn’t have a list of buckets the way SM does.

…

On Sun, Aug 8, 2021 at 12:04 AM Chris Partridge ***@***.***> wrote: Ruminating, could also split this out into a possibly_internet_accessible() function? Food for thought :P — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#142 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB5DLJTGMGRY565O5RPW2XDT3YM6JANCNFSM5BYES6TQ> .

[scriptsrc]

Having said that, it would be cool to see what you came up with. On Sun, Aug 8, 2021 at 8:34 AM Patrick Kelley < ***@***.***> wrote:

…

Hey, When written, that logic was put into security monkey, which uses policy universe. PolicyUniverse doesn’t have a list of buckets the way SM does. On Sun, Aug 8, 2021 at 12:04 AM Chris Partridge ***@***.***> wrote: > Ruminating, could also split this out into a > possibly_internet_accessible() function? Food for thought :P > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#142 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AB5DLJTGMGRY565O5RPW2XDT3YM6JANCNFSM5BYES6TQ> > . >

[tweedge]

A WIP CR is up but I'm not super satisfied with it - if you can give it a review and provide thoughts that'd be great!