Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lock down buckets created by ADF - block public access #350

Merged
merged 2 commits into from
Apr 14, 2021
Merged

Lock down buckets created by ADF - block public access #350

merged 2 commits into from
Apr 14, 2021

Conversation

sbkok
Copy link
Collaborator

@sbkok sbkok commented Apr 12, 2021

Why?

By default, ADF does not mark any object or bucket to be accessibly
publicly. However, the buckets did not restrict any other process from
doing so anyway.

What?

To ensure objects are not accidentally made public, this change will
enforce that. Changing the object or bucket policies to public would not
be allowed.

Additionally, one bucket, the BootstrapArtifactStorageBucket that was
added recently by #270 did not configure encryption and versioning.
This was not released as part of ADF yet, so no data was exposed.

The samples that deployed buckets are also updated to include the
encryption, versioning, and block-public access properties.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@sbkok
Lock down buckets created by ADF - no public access
ae59392 
**Why?**

By default, ADF does not mark any object or bucket to be accessibly
publicly. However, the buckets did not restrict any other process from
doing so anyway.

**What?**

To ensure objects are not accidentally made public, this change will
enforce that. Changing the object or bucket policies to public would not
be allowed.

Additionally, one bucket, the BootstrapArtifactStorageBucket that was
added recently by awslabs#270 did not configure encryption and versioning.
This was not released as part of ADF yet, so no data was exposed.

The samples that deployed buckets are also updated to include the
encryption, versioning, and block-public access properties.
@sbkok sbkok added this to the v3.2.0 milestone Apr 12, 2021
@sbkok sbkok added the enhancement New feature or request label Apr 12, 2021
deltagarrett
deltagarrett approved these changes Apr 12, 2021
View reviewed changes
Copy link

@deltagarrett deltagarrett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM and... security is job zero! ; )

thomasmcgannon
thomasmcgannon approved these changes Apr 14, 2021
View reviewed changes
Copy link
Collaborator

@thomasmcgannon thomasmcgannon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, assuming line 778 with version is being replaced in #351 with the metadata tag?

@sbkok
Copy link
Collaborator Author

sbkok commented Apr 14, 2021

@thomasmcgannon Correct, I will patch that in the other PR.

@sbkok sbkok merged commit ef461d5 into awslabs:master Apr 14, 2021
@sbkok sbkok deleted the improvement/s3-bucket-block-public-access branch April 14, 2021 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deltagarrett deltagarrett deltagarrett approved these changes

@thomasmcgannon thomasmcgannon thomasmcgannon approved these changes

@krisnielander krisnielander Awaiting requested review from krisnielander

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@sbkok @deltagarrett @thomasmcgannon