Object Storage Rules¶
This section details the rules relevant to object storages, such as Amazon S3.
Renamed in 0.0.7
This provider used to be called
S3 before the 0.0.7 release. This change has been done to support Azure and GCP
going forward. The old output behavior can be triggered by passing the
--legacy-s3-output flag. The existing
rulesets will work through a compatibility patch.
Do not permit an object storage bucket to be public¶
This rule checks object storage bucket ACLs so that they are not public. The configuration goes like this:
- type: OS_PUBLIC_READ_PROHIBITED include: - some.*regexp exclude: - some.*regexp
This option accepts a regular expression to match against the bucket name. If include is specified, only the security groups with the specified name will be considered.
This option lets you exclude certain buckets from checking, similar to include above. The exclude rule takes precedence over include.
scanContents (since 0.0.2)¶
This is a true/false flag indicating if the contents of the buckets should be scanned for ACL violations. If true all files in the bucket will be checked, which may take a very long time. If false only the bucket ACL will be evaluated.