-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No Handlers for S3 Data Access Point Account/ARN and ACLs #9408
Labels
Comments
JessMartin123
added a commit
to JessMartin123/cloud-custodian
that referenced
this issue
Apr 5, 2024
JessMartin123
added a commit
to JessMartin123/cloud-custodian
that referenced
this issue
Apr 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
If a bucket policy contains data access points, the cross account filter is unable to check the account IDs in the condition - no handler errors are encountered. This limitation restricts the effective management of S3 resources, particularly those associated with Data Access Points. No handler warnings are also returned if the bucket policy references ACLs.
Example:
S3 bucket policy:
The policy statement contains the s3:DataAccessPointAccount condition. This statement allows bucket access via a data access point for a specific AWS account ID.
Similarly, the s3:DataAccessPointArn condition raises similar no handler errors, providing access to the bucket from a specific data access point.
And any policy referencing an ACL condition also returns no handler warnings.
What did you expect to happen?
I expected that the cross-account filter checks account ids listed in the data access point conditions to enable enforcement of policies for cross account access to s3 resources . Instead it is unable to deal with these policies and returns no handler messages.
Likewise I expected custodian to handle policies that reference ACLs, but it is not able to.
Cloud Provider
Amazon Web Services (AWS)
Cloud Custodian version and dependency information
Policy
policies: - name: s3-policy resource: s3 filters: - Name: c7n-test-policy - or: - type: cross-account whitelist: - "123456789012"
Relevant log/traceback output
Extra information or context
No response
The text was updated successfully, but these errors were encountered: