s3-secure 0.1.0

data/lib/s3_secure/policy/document/base.rb

@@ -0,0 +1,15 @@
+class S3Secure::Policy::Document
+  class Base
+    extend Memoist
+
+    def initialize(bucket, bucket_policy)
+      # @bucket_policy is existing document policy
+      @bucket, @bucket_policy = bucket, bucket_policy
+    end
+
+    def checker
+      S3Secure::Policy::Checker.new(@bucket_policy)
+    end
+    memoize :checker
+  end
+end

data/lib/s3_secure/policy/document/force_ssl_only_access.rb

@@ -0,0 +1,33 @@
+class S3Secure::Policy::Document
+  class ForceSSLOnlyAccess < Base
+    def policy_document
+      if @bucket_policy.blank?
+        full_policy_document
+      else
+        updated_policy_document
+      end
+    end
+
+    def updated_policy_document
+      policy = JSON.load(@bucket_policy)
+      policy["Statement"] << ssl_enforce_statement unless checker.has?("ForceSSLOnlyAccess")
+      policy
+    end
+
+    def full_policy_document
+      {"Version"=>"2012-10-17",
+       "Statement"=>[ssl_enforce_statement]}
+    end
+
+    def ssl_enforce_statement
+      {
+        "Sid"=>"ForceSSLOnlyAccess",
+        "Effect"=>"Deny",
+        "Principal"=>"*",
+        "Action"=>"s3:GetObject",
+        "Resource"=>"arn:aws:s3:::#{@bucket}/*",
+        "Condition"=>{"Bool"=>{"aws:SecureTransport"=>"false"}}
+      }
+    end
+  end
+end

data/lib/s3_secure/policy/document/force_ssl_only_access_remove.rb

@@ -0,0 +1,33 @@
+class S3Secure::Policy::Document
+  class ForceSSLOnlyAccessRemove < Base
+    def initialize(bucket, bucket_policy)
+      # @bucket_policy is existing document policy
+      @bucket, @bucket_policy = bucket, bucket_policy
+    end
+
+    def policy_document
+      return nil if @bucket_policy.blank?
+
+      updated_policy_document
+    end
+
+    def updated_policy_document
+      policy = JSON.load(@bucket_policy)
+
+      statements = policy["Statement"]
+      has_force_ssl = !!statements.detect { |s| s["Sid"] == "ForceSSLOnlyAccess" }
+      unless has_force_ssl
+        raise "Bucket policy does not have ForceSSLOnlyAccess"
+      end
+
+      if statements.size == 1
+        return nil # to signal for the entire bucket policy to be deleted
+      else
+        statements.delete_if { |s| s["Sid"] == "ForceSSLOnlyAccess" }
+        policy["Statement"] = statements
+      end
+
+      policy
+    end
+  end
+end

data/lib/s3_secure/policy/enforce.rb

@@ -0,0 +1,36 @@
+class S3Secure::Policy
+  class Enforce < Base
+    def initialize(options={})
+      super
+      @sid = options[:sid]
+    end
+
+    def run
+      @s3 = s3_regional_client(@bucket)
+
+      list = S3Secure::Policy::List.new(@options)
+      list.set_s3(@s3)
+
+      bucket_policy = list.get_policy(@bucket)
+      document = Document.new(@bucket, bucket_policy)
+      if document.has?(@sid)
+        puts "Bucket policy for #{@bucket} has ForceSSLOnlyAccess policy statement already:"
+        puts bucket_policy
+      else
+        # Set encryption rules
+        # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_policy-instance_method
+        # API docs: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ServerSideEncryptionByDefault.html
+        #
+        #    put_bucket_policy returns #<struct Aws::EmptyStructure>
+        #
+        policy_document = document.policy_document(@sid)
+        @s3.put_bucket_policy(
+          bucket: @bucket,
+          policy: policy_document,
+        )
+        puts "Add bucket policy to bucket #{@bucket}:"
+        puts policy_document
+      end
+    end
+  end
+end

data/lib/s3_secure/policy/list.rb

@@ -0,0 +1,29 @@
+class S3Secure::Policy
+  class List < Base
+    def run
+      buckets.each do |bucket|
+        @s3 = s3_regional_client(bucket)
+        puts "Policy for bucket #{bucket.color(:green)}"
+        policy = get_policy(bucket)
+
+        if policy
+          puts policy
+        else
+          puts "Bucket does not have a bucket policy"
+        end
+      end
+    end
+
+    def get_policy(bucket)
+      resp = @s3.get_bucket_policy(bucket: bucket)
+      data = JSON.load(resp.policy.read) # String
+      JSON.pretty_generate(data)
+    rescue Aws::S3::Errors::NoSuchBucketPolicy
+    end
+
+    # Useful when calling List outside of the list CLI
+    def set_s3(client)
+      @s3 = client
+    end
+  end
+end

data/lib/s3_secure/policy/show.rb

@@ -0,0 +1,19 @@
+class S3Secure::Policy
+  class Show < Base
+    def run
+      @s3 = s3_regional_client(@bucket)
+
+      list = S3Secure::Policy::List.new(@options)
+      list.set_s3(@s3)
+
+      policy = list.get_policy(@bucket)
+      if policy
+        puts "Bucket #{@bucket} is configured with this policy:"
+        puts policy
+        # puts policy.map(&:to_h)
+      else
+        puts "Bucket #{@bucket} is not configured bucket policy"
+      end
+    end
+  end
+end

data/lib/s3_secure/policy/unforce.rb

@@ -0,0 +1,41 @@
+class S3Secure::Policy
+  class Unforce < Base
+    def initialize(options={})
+      super
+      @sid = options[:sid]
+    end
+
+    def run
+      @s3 = s3_regional_client(@bucket)
+
+      list = S3Secure::Policy::List.new(@options)
+      list.set_s3(@s3)
+
+      bucket_policy = list.get_policy(@bucket)
+      document = Document.new(@bucket, bucket_policy, remove: true)
+      if document.has?(@sid)
+        # Set encryption rules
+        # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_policy-instance_method
+        # API docs: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ServerSideEncryptionByDefault.html
+        #
+        #    put_bucket_policy returns #<struct Aws::EmptyStructure>
+        #
+        policy_document = document.policy_document(@sid)
+
+        if policy_document
+          @s3.put_bucket_policy(
+            bucket: @bucket,
+            policy: policy_document,
+          )
+        else
+          @s3.delete_bucket_policy(bucket: @bucket)
+        end
+
+        puts "Remove bucket policy to bucket #{@bucket}:"
+        puts policy_document if policy_document
+      else
+        puts "Bucket policy for #{@bucket} does not have ForceSSLOnlyAccess policy statement. Nothing to be done."
+      end
+    end
+  end
+end

data/lib/s3_secure/version.rb

@@ -0,0 +1,3 @@
+module S3Secure
+  VERSION = "0.1.0"
+end

data/s3-secure.gemspec

@@ -0,0 +1,33 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "s3_secure/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "s3-secure"
+  spec.version       = S3Secure::VERSION
+  spec.authors       = ["Tung Nguyen"]
+  spec.email         = ["tongueroo@gmail.com"]
+  spec.summary       = "S3 Bucket security hardening tool"
+  spec.homepage      = "https://github.com/tongueroo/s3-secure"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport"
+  spec.add_dependency "aws-sdk-s3"
+  spec.add_dependency "memoist"
+  spec.add_dependency "rainbow"
+  spec.add_dependency "thor"
+  spec.add_dependency "zeitwerk"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "byebug"
+  spec.add_development_dependency "cli_markdown"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+end

data/spec/lib/cli_spec.rb

@@ -0,0 +1,12 @@
+describe S3Secure::CLI do
+  before(:all) do
+    @args = "--from Tung"
+  end
+
+  describe "s3-secure" do
+    # it "hello" do
+    #   out = execute("exe/s3-secure hello world #{@args}")
+    #   expect(out).to include("from: Tung\nHello world")
+    # end
+  end
+end

data/spec/lib/policy/checker_spec.rb

@@ -0,0 +1,68 @@
+describe S3Secure::Policy::Checker do
+  subject { S3Secure::Policy::Checker.new(policy_json) }
+
+  describe "already has ForceSSLOnlyAccess" do
+    let(:policy_json) {
+      <<~JSON
+        {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "ForceSSLOnlyAccess",
+                    "Effect": "Deny",
+                    "Principal": "*",
+                    "Action": "s3:GetObject",
+                    "Resource": "arn:aws:s3:::my-test-s3-secure-us-east-1/*",
+                    "Condition": {
+                        "Bool": {
+                            "aws:SecureTransport": "false"
+                        }
+                    }
+                }
+            ]
+        }
+      JSON
+    }
+
+    it "has?" do
+      result = subject.has?("ForceSSLOnlyAccess")
+      expect(result).to be true
+    end
+  end
+
+  describe "doesnt have ForceSSLOnlyAccess" do
+    let(:policy_json) {
+      <<~JSON
+        {
+          "Version": "2008-10-17",
+          "Id": "PolicyForCloudFrontPrivateContent",
+          "Statement": [
+            {
+              "Sid": "1",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E27G6OAEXAMPLE"
+              },
+              "Action": "s3:GetObject",
+              "Resource": "arn:aws:s3:::test-fake-website/*"
+            }
+          ]
+        }
+      JSON
+    }
+
+    it "has?" do
+      result = subject.has?("ForceSSLOnlyAccess")
+      expect(result).to be false
+    end
+  end
+
+  describe "empty policy" do
+    let(:policy_json) { nil }
+
+    it "has?" do
+      result = subject.has?("ForceSSLOnlyAccess")
+      expect(result).to be false
+    end
+  end
+end

data/spec/lib/policy/document/force_ssl_remove_spec.rb

@@ -0,0 +1,107 @@
+describe S3Secure::Policy::Document::ForceSSLOnlyAccessRemove do
+  subject { S3Secure::Policy::Document::ForceSSLOnlyAccessRemove.new("my-bucket", policy_json) }
+
+  describe "already has ForceSSLOnlyAccess only" do
+    let(:policy_json) {
+      <<~JSON
+        {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "ForceSSLOnlyAccess",
+                    "Effect": "Deny",
+                    "Principal": "*",
+                    "Action": "s3:GetObject",
+                    "Resource": "arn:aws:s3:::my-bucket/*",
+                    "Condition": {
+                        "Bool": {
+                            "aws:SecureTransport": "false"
+                        }
+                    }
+                }
+            ]
+        }
+      JSON
+    }
+
+    it "policy_document" do
+      result = subject.policy_document
+      expect(result).to be nil
+    end
+  end
+
+  describe "already has ForceSSLOnlyAccess and another statement" do
+    let(:policy_json) {
+      <<~JSON
+        {
+          "Version": "2008-10-17",
+          "Id": "PolicyForCloudFrontPrivateContent",
+          "Statement": [
+            {
+              "Sid": "1",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E27G6OAEXAMPLE"
+              },
+              "Action": "s3:GetObject",
+              "Resource": "arn:aws:s3:::test-fake-website/*"
+            },
+            {
+              "Sid": "ForceSSLOnlyAccess",
+              "Effect": "Deny",
+              "Principal": "*",
+              "Action": "s3:GetObject",
+              "Resource": "arn:aws:s3:::my-bucket/*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false"
+                }
+              }
+            }
+          ]
+        }
+      JSON
+    }
+
+    it "policy_document" do
+      result = JSON.pretty_generate(subject.policy_document)
+      expect(result).not_to include("ForceSSLOnlyAccess")
+      expect(result).to include("PolicyForCloudFrontPrivateContent")
+    end
+  end
+
+  describe "empty policy" do
+    let(:policy_json) { nil }
+
+    it "policy_document" do
+      result = subject.policy_document
+      expect(result).to be nil
+    end
+  end
+
+  describe "doesnt have ForceSSLOnlyAccess" do
+    let(:policy_json) {
+      <<~JSON
+        {
+          "Version": "2008-10-17",
+          "Id": "PolicyForCloudFrontPrivateContent",
+          "Statement": [
+            {
+              "Sid": "1",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E27G6OAEXAMPLE"
+              },
+              "Action": "s3:GetObject",
+              "Resource": "arn:aws:s3:::test-fake-website/*"
+            }
+          ]
+        }
+      JSON
+    }
+
+    it "policy_document" do
+      expect { subject.policy_document }.to raise_error(RuntimeError)
+    end
+  end
+end

data/spec/lib/policy/document_spec.rb

@@ -0,0 +1,68 @@
+describe S3Secure::Policy::Document do
+  subject { S3Secure::Policy::Document.new("my-bucket", policy_json) }
+
+  describe "already has ForceSSLOnlyAccess" do
+    let(:policy_json) {
+      <<~JSON
+        {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "ForceSSLOnlyAccess",
+                    "Effect": "Deny",
+                    "Principal": "*",
+                    "Action": "s3:GetObject",
+                    "Resource": "arn:aws:s3:::my-bucket/*",
+                    "Condition": {
+                        "Bool": {
+                            "aws:SecureTransport": "false"
+                        }
+                    }
+                }
+            ]
+        }
+      JSON
+    }
+
+    it "policy_document" do
+      result = subject.policy_document("ForceSSLOnlyAccess")
+      expect(result).to include("ForceSSLOnlyAccess")
+    end
+  end
+
+  describe "doesnt have ForceSSLOnlyAccess" do
+    let(:policy_json) {
+      <<~JSON
+        {
+          "Version": "2008-10-17",
+          "Id": "PolicyForCloudFrontPrivateContent",
+          "Statement": [
+            {
+              "Sid": "1",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E27G6OAEXAMPLE"
+              },
+              "Action": "s3:GetObject",
+              "Resource": "arn:aws:s3:::test-fake-website/*"
+            }
+          ]
+        }
+      JSON
+    }
+
+    it "policy_document" do
+      result = subject.policy_document("ForceSSLOnlyAccess")
+      expect(result).to include("ForceSSLOnlyAccess")
+    end
+  end
+
+  describe "empty policy" do
+    let(:policy_json) { nil }
+
+    it "policy_document" do
+      result = subject.policy_document("ForceSSLOnlyAccess")
+      expect(result).to include("ForceSSLOnlyAccess")
+    end
+  end
+end