Running the AWS perimeter mod control aws_perimeter.control.s3_bucket_policy_prohibit_public_access fails with the error
Error: operation error S3: GetBucketLocation, https response error StatusCode: 403, RequestID: <REDACTED>, HostID: <REDACTED>, api error AccessDenied: Access Denied (SQLSTATE HV000)
This looks to be down to several buckets with messed up permission policies.
So I modified the steampipe configuration to include
ignore_error_codes = ["AccessDenied", "AccessDeniedException", "NotAuthorized", "UnauthorizedOperation", "UnrecognizedClientException", "AuthorizationError"]
This at least allows the control to run to a conclusion however, the buckets that previously caused the control to fail now report OK
OK : <BUCKET NAME REDACTED> policy does not allow public access. .......................................................... <nil> <ACCOUNT NAME REDACTED>
Steampipe version (steampipe -v
)
v0.17.4
Plugin version (steampipe plugin list
)
+--------------------------------------------------+---------+-------------+
| Installed Plugin | Version | Connections |
+--------------------------------------------------+---------+-------------+
| hub.steampipe.io/plugins/turbot/aws@latest | 0.91.0 | aws |
| hub.steampipe.io/plugins/turbot/steampipe@latest | 0.6.0 | steampipe |
+--------------------------------------------------+---------+-------------+
To reproduce
Create a bucket policy which only allows access to a specific role.
Expected behavior
Should these particular resources be flagged as ERROR, as the credentials being used are insufficient for these buckets to be evaluated even though certain error codes are being ignored?