Closed Bug 1618713 Opened 5 years ago Closed 5 years ago

public artifact buckets should not be listable

Categories

(Cloud Services :: Operations: Taskcluster, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dustin, Assigned: brian)

References

Details

The following buckets were identified as allowing listing. Since the artifacts are public this isn't awful, but it shouldn't be allowed.

Our policy for each of those buckets is currently (set in cloudops-infra/projects/taskcluster/tf/main.tf):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "${aws_s3_bucket.public_artifacts.arn}/*"
        }
    ]
}

The docs at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html suggest that an explicit deny should do the trick to prevent it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "${aws_s3_bucket.public_artifacts.arn}/*"
        }
        {
            "Sid": "PreventListingBucket",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:ListBucket",
            "Resource": "${aws_s3_bucket.public_artifacts.arn}/*"

        }
    ]
}

Brian, would the above be the recommended way to forbid listing, or do we have a different standard that I've missed?

Flags: needinfo?(bpitts)

Right now we have both an ACL of "public-read" and a bucket policy of s3:GetObject for *. I think that these both allow everyone to read objects, but the ACL also allows listing the bucket. I think what you did above would work, since Denys should have precedence over Allows regardless of which access-control mechanism is used. However, I think we could disable bucket listing more simply by just deleting the ACL.

Flags: needinfo?(bpitts)

Dustin, I've applied my suggested change above to https://artifacts.tcstage.mozaws.net/ . Can you validate it now behaves as you expect, meaning it's not listable but the relevant consumers can still fetch artifacts?

Also, can you clarify if this change should apply to just public artifacts, or public blobs as wekk?

Flags: needinfo?(dustin)

Looks good!

Blobs are dead. I'll file a bug to remove config for them..

Flags: needinfo?(dustin)

No need for a new bug, I can get it in https://github.com/mozilla-services/cloudops-infra/pull/1963

We can roll this out to community and firefoxci next week.

I've applied this in community.

Assignee: edunham → bpitts
Status: NEW → ASSIGNED

I've applied this in firefox ci.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.