fluidasserts.cloud.aws.s3 module

AWS cloud checks (S3).

fluidasserts.cloud.aws.s3.bucket_objects_can_be_listed(bucket_names)

Check if a S3 bucket objects can be listed by everyon.

This check works without aws access keys.

Parameters

bucket_name – name of the s3 bucket.

fluidasserts.cloud.aws.s3.buckets_allow_unauthorized_public_access(key_id, secret, retry=True)

Check if S3 buckets allow unauthorized public access via bucket policies.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if policies allow unauthorized public access.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.s3.buckets_has_permissive_acl_permissions(key_id, secret, retry=True)

Check if S3 buckets allow global write, delete, or read ACL permissions.

Disable global all users policies on all S3 buckets and ensure both the bucket ACL is configured with least privileges.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if there are buckets with global ACL permission.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.s3.has_buckets_without_default_encryption(key_id, secret, retry=True)

Check if Amazon S3 buckets do not have Default Encryption feature enable.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if there are buckets without default encryption.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.s3.has_disabled_server_side_encryption(key_id, secret, retry=True)

Check if S3 buckets have Server-Side Encryption disabled.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if there are S3 buckets that do not have Server-Side Encryption enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.s3.has_insecure_transport(key_id, secret, retry=True)

Check if S3 buckets are protecting data in transit using SSL.

Parameters
  • key_id (str) – AWS Key Id.

  • secret (str) – AWS Key Secret.

Returns

  • OPEN if there are S3 buckets that do not protect data in transit.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.s3.has_public_buckets(key_id, secret, retry=True)

Check if S3 buckets have public read access.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple

fluidasserts.cloud.aws.s3.has_server_access_logging_disabled(key_id, secret, retry=True)

Check if S3 buckets have server access logging enabled.

Parameters
  • key_id (str) – AWS Key Id

  • secret (str) – AWS Key Secret

Return type

tuple