sync s3 bucket acl changes

jacknagz · Oct 24, 2017 · a83f53f · a83f53f
1 parent 844c0e2
commit a83f53f
Show file tree

Hide file tree

Showing 2 changed files with 111 additions and 180 deletions.
diff --git a/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py b/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py
@@ -22,12 +22,13 @@ def cloudtrail_put_bucket_acl(rec):
                   (c) if not, remove the bucket ACL and investigate access logs
     """
     if rec['detail']['eventName'] != 'PutBucketAcl':
+        # check the event type early to avoid unnecessary performance impact
         return False
     elif rec['detail']['requestParameters'] is None:
-        # `requestParameters` can be defined with a value of null
+        # requestParameters can be defined with a value of null
         return False
 
-    insecure_acl_list = {
+    denied_acls = {
         'http://acs.amazonaws.com/groups/global/AuthenticatedUsers',
         'http://acs.amazonaws.com/groups/global/AllUsers'
     }
@@ -38,11 +39,11 @@ def cloudtrail_put_bucket_acl(rec):
         return False
 
     grants = access_control_policy['AccessControlList']['Grant']
-    insecure_buckets = []
+    bad_bucket_permissions = []
 
     for grant in grants:
         grantee = grant.get('Grantee', [])
         if 'URI' in grantee:
-            insecure_buckets.append(grantee['URI'] in insecure_acl_list)
+            bad_bucket_permissions.append(grantee['URI'] in denied_acls)
 
-    return any(insecure_buckets)
+    return any(bad_bucket_permissions)