S3 Bucket CORS is allowed for all origins

ID

aws_s3_bucket_unsecured_cors

Severity

high

Vendor

AWS

Resource

Network

Tags

reachable

Description

S3 Bucket CORS is allowed for all origins. If you configure allowed_origins with *, then enabling attackers to perform privileged actions or to retrieve potential sensitive information.

To fix it, you must configure allowed_origins to restrict the access.

Learn more about this topic at AWS S3 Bucket CORS.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - community.aws.s3_cors:
        name: mys3bucket
        state: present
        rules:
          - allowed_origins:
              - "*"
            allowed_methods:
              - GET
              - POST
            allowed_headers:
              - Authorization
            expose_headers:
              - x-amz-server-side-encryption
              - x-amz-request-id
            max_age_seconds: 30000

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - community.aws.s3_cors:
        name: mys3bucket
        state: present
        rules:
          - allowed_origins:
              - http://www.example.com/
            allowed_methods:
              - GET
              - POST
            allowed_headers:
              - Authorization
            expose_headers:
              - x-amz-server-side-encryption
              - x-amz-request-id
            max_age_seconds: 30000