public artifact buckets should not be listable
Categories
(Cloud Services :: Operations: Taskcluster, defect)
Tracking
(Not tracked)
People
(Reporter: dustin, Assigned: brian)
References
Details
The following buckets were identified as allowing listing. Since the artifacts are public this isn't awful, but it shouldn't be allowed.
Our policy for each of those buckets is currently (set in cloudops-infra/projects/taskcluster/tf/main.tf
):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "${aws_s3_bucket.public_artifacts.arn}/*"
}
]
}
The docs at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html suggest that an explicit deny
should do the trick to prevent it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "${aws_s3_bucket.public_artifacts.arn}/*"
}
{
"Sid": "PreventListingBucket",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "${aws_s3_bucket.public_artifacts.arn}/*"
}
]
}
Brian, would the above be the recommended way to forbid listing, or do we have a different standard that I've missed?
Assignee | ||
Comment 2•5 years ago
|
||
Right now we have both an ACL of "public-read" and a bucket policy of s3:GetObject for *. I think that these both allow everyone to read objects, but the ACL also allows listing the bucket. I think what you did above would work, since Denys should have precedence over Allows regardless of which access-control mechanism is used. However, I think we could disable bucket listing more simply by just deleting the ACL.
Assignee | ||
Comment 3•5 years ago
|
||
Dustin, I've applied my suggested change above to https://artifacts.tcstage.mozaws.net/ . Can you validate it now behaves as you expect, meaning it's not listable but the relevant consumers can still fetch artifacts?
Also, can you clarify if this change should apply to just public artifacts, or public blobs as wekk?
Reporter | ||
Comment 4•5 years ago
|
||
Looks good!
Blobs are dead. I'll file a bug to remove config for them..
Assignee | ||
Comment 5•5 years ago
|
||
No need for a new bug, I can get it in https://github.com/mozilla-services/cloudops-infra/pull/1963
Assignee | ||
Comment 7•5 years ago
|
||
We can roll this out to community and firefoxci next week.
Assignee | ||
Comment 8•5 years ago
|
||
I've applied this in community.
Assignee | ||
Comment 9•5 years ago
|
||
I've applied this in firefox ci.
Description
•