def control_4_2_no_global

def control_4_2_no_global_s3()

in code/SecGuardRails/stack_validate_lambda.py [0:0]
39 lines of code
17 McCabe index (conditional complexity)

def control_4_2_no_global_s3(stackName):
    """Summary
    Returns:
        TYPE: Description
    """

    # Getting the s3 bucket name first from cloudformation
    cfn = boto3.client('cloudformation')
    cfnResourceBucketInfo = cfn.describe_stack_resource(StackName=stackName,LogicalResourceId='S3Bucket')
    s3BucketName = cfnResourceBucketInfo['StackResourceDetail']['PhysicalResourceId']

    hasPassed = True
    failReason = ""
    offenders = []
    control = "4.2"
    description = "Ensure that there are no S3 elements exposed to the public"
    scored = True
    client = boto3.client('s3')

    # First check bucket policy
    try:
        response = client.get_bucket_policy(Bucket=s3BucketName)
        policyJson = json.loads(response['Policy'])
        for statement in policyJson['Statement']:
            print(statement)
            if (statement['Principal'] and ('*' in statement['Principal'])) and (statement['Effect'] and ('Allow' in statement['Effect'])) and (statement['Action'] and ('*' in statement['Action'])):
                hasPassed = False
                failReason = 'Bucket [' + s3BucketName + '] has Allow policy for everyone.'
                offenders.append(s3BucketName)
    except botocore.exceptions.ClientError as exp:
        if 'NoSuchBucketPolicy' in str(exp):
            # no policy is fine
            hasPassed = True

    if hasPassed:
        # check secondary ACL properties
        try:
            aclResponse = client.get_bucket_acl(Bucket=s3BucketName)
            for aGrant in aclResponse['Grants']:
                # contains definitions for all users then it should be invalid
                if (aGrant['Grantee']['Type'] == 'Group') and (aGrant['Grantee']['URI']) and ('groups/global/AllUsers' in aGrant['Grantee']['URI']):
                    print ('Found information about Global All users. This is not permitted')
                    hasPassed = False
                    offenders.append(s3BucketName)
                    failReason = s3BucketName + " contains ACL specifications for All Users. Update S3 AccessControl property"
        except botocore.exceptions.ClientError as expAcl:
            print('problems extracting ACL information')
            hasPassed = False
            offenders.append(s3BucketName)
            failReason = s3BucketName + " cannot read ACL information. Please check permissions on this lambda script"

    return {'Result': hasPassed, 'failReason': failReason, 'Offenders': offenders, 'ScoredControl': scored,
            'Description': description, 'ControlId': control}