Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No Handlers for S3 Data Access Point Account/ARN and ACLs #9408

Open
JessMartin123 opened this issue Apr 5, 2024 · 0 comments · May be fixed by #9411
Open

No Handlers for S3 Data Access Point Account/ARN and ACLs #9408

JessMartin123 opened this issue Apr 5, 2024 · 0 comments · May be fixed by #9411
Labels
kind/bug

Comments

@JessMartin123
Copy link

Describe the bug

If a bucket policy contains data access points, the cross account filter is unable to check the account IDs in the condition - no handler errors are encountered. This limitation restricts the effective management of S3 resources, particularly those associated with Data Access Points. No handler warnings are also returned if the bucket policy references ACLs.

Example:

S3 bucket policy:

The policy statement contains the s3:DataAccessPointAccount condition. This statement allows bucket access via a data access point for a specific AWS account ID.

"Version": "2012-10-17",
"Statement": [
	{
		"Sid": "Delegate access control to s3 access points",
		"Effect": "Allow",
		"Principal": {
			"AWS": "*"
		},
		"Action": [
			"s3:PutObject",
			"s3:ListBucket",
			"s3:GetObject",
			"s3:DeleteObject"
		],
		"Resource": [
			"arn:aws:s3:::testingtesting/*",
			"arn:aws:s3:::testingtesting"
		],
		"Condition": {
			"StringEquals": {
				"s3:DataAccessPointAccount": "123456789012"
			}
		}
	}
]

Similarly, the s3:DataAccessPointArn condition raises similar no handler errors, providing access to the bucket from a specific data access point.

        "Condition": {
            "StringEquals": {
                "s3:DataAccessPointArn": "arn:aws:s3:us-east-1:123456789012:accesspoint/testaccesspoint"
            }
        }

And any policy referencing an ACL condition also returns no handler warnings.

         "Condition": {
              "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                    }
                }

What did you expect to happen?

I expected that the cross-account filter checks account ids listed in the data access point conditions to enable enforcement of policies for cross account access to s3 resources . Instead it is unable to deal with these policies and returns no handler messages.
Likewise I expected custodian to handle policies that reference ACLs, but it is not able to.

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

Custodian:   0.9.34
Python:      3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0]
Platform:    posix.uname_result(sysname='Linux', nodename='<nodename>', release='5.15.146.1-microsoft-standard-WSL2', version='#1 SMP Thu Jan 11 04:09:03 UTC 2024', machine='x86_64')
Using venv:  True
Docker: False
Installed: 

PyJWT==2.8.0
PyYAML==6.0.1
adal==1.2.7
anyio==4.2.0
appdirs==1.4.4
applicationinsights==0.11.10
apscheduler==3.10.4
argcomplete==3.2.1
attrs==23.2.0
azure-common==1.1.28
azure-core==1.29.6
azure-cosmos==3.2.0
azure-cosmosdb-nspkg==2.0.2
azure-cosmosdb-table==1.0.6
azure-functions==1.18.0
azure-graphrbac==0.61.1
azure-identity==1.15.0
azure-keyvault==4.2.0
azure-keyvault-certificates==4.7.0
azure-keyvault-keys==4.8.0
azure-keyvault-secrets==4.7.0
azure-mgmt-advisor==9.0.0
azure-mgmt-apimanagement==1.0.0
azure-mgmt-appconfiguration==0.7.0
azure-mgmt-applicationinsights==1.0.0
azure-mgmt-appplatform==8.0.0
azure-mgmt-authorization==1.0.0
azure-mgmt-automation==0.1.1
azure-mgmt-batch==15.0.0
azure-mgmt-cdn==12.0.0
azure-mgmt-cognitiveservices==11.0.0
azure-mgmt-compute==19.0.0
azure-mgmt-containerinstance==7.0.0
azure-mgmt-containerregistry==8.0.0b1
azure-mgmt-containerservice==15.1.0
azure-mgmt-core==1.4.0
azure-mgmt-cosmosdb==6.4.0
azure-mgmt-costmanagement==1.0.0
azure-mgmt-databricks==1.0.0b1
azure-mgmt-datafactory==1.1.0
azure-mgmt-datalake-analytics==0.5.0
azure-mgmt-datalake-nspkg==3.0.1
azure-mgmt-datalake-store==0.5.0
azure-mgmt-desktopvirtualization==1.1.0
azure-mgmt-dns==8.0.0b1
azure-mgmt-eventgrid==8.0.0
azure-mgmt-eventhub==11.0.0
azure-mgmt-frontdoor==1.1.0
azure-mgmt-hdinsight==7.0.0
azure-mgmt-iothub==1.0.0
azure-mgmt-keyvault==8.0.0
azure-mgmt-kusto==2.2.0
azure-mgmt-logic==9.0.0
azure-mgmt-machinelearningservices==1.0.0
azure-mgmt-managementgroups==1.0.0b1
azure-mgmt-monitor==2.0.0
azure-mgmt-msi==1.0.0
azure-mgmt-network==17.1.0
azure-mgmt-nspkg==3.0.2
azure-mgmt-policyinsights==1.0.0
azure-mgmt-rdbms==8.1.0
azure-mgmt-recoveryservices==2.5.0
azure-mgmt-recoveryservicesbackup==7.0.0
azure-mgmt-redhatopenshift==1.4.0
azure-mgmt-redis==12.0.0
azure-mgmt-resource==16.1.0
azure-mgmt-resourcegraph==7.0.0
azure-mgmt-search==8.0.0
azure-mgmt-security==1.0.0
azure-mgmt-servicebus==8.2.0
azure-mgmt-servicefabric==1.0.0
azure-mgmt-signalr==0.4.0
azure-mgmt-sql==1.0.0
azure-mgmt-storage==17.1.0
azure-mgmt-streamanalytics==1.0.0
azure-mgmt-subscription==1.0.0
azure-mgmt-synapse==2.0.0
azure-mgmt-trafficmanager==0.51.0
azure-mgmt-web==2.0.0
azure-nspkg==3.0.2
azure-storage-blob==12.19.0
azure-storage-common==2.1.0
azure-storage-file==2.1.0
azure-storage-file-share==12.15.0
azure-storage-queue==12.9.0
boto3==1.34.21
botocore==1.34.21
c7n==0.9.34
cachetools==5.3.2
certifi==2023.11.17
cffi==1.16.0
charset-normalizer==3.3.2
click==8.1.7
colorama==0.4.6
cryptography==41.0.7
decorator==5.1.1
distlib==0.3.8
docutils==0.18.1
dogpile.cache==1.3.0
exceptiongroup==1.2.0
google-api-core==2.15.0
google-api-python-client==2.114.0
google-auth==2.26.2
google-auth-httplib2==0.2.0
google-cloud-appengine-logging==1.4.0
google-cloud-audit-log==0.2.5
google-cloud-core==2.4.1
google-cloud-logging==3.9.0
google-cloud-monitoring==2.18.0
google-cloud-storage==2.14.0
google-crc32c==1.5.0
google-resumable-media==2.7.0
googleapis-common-protos==1.62.0
grpc-google-iam-v1==0.13.0
grpcio==1.60.0
httplib2==0.22.0
idna==3.6
importlib-metadata==6.11.0
iso8601==2.1.0
isodate==0.6.1
jmespath==1.0.1
jsonpatch==1.33
jsonpointer==2.4
jsonschema==4.21.0
jsonschema-specifications==2023.12.1
keystoneauth1==5.5.0
kubernetes==29.0.0
mock==4.0.3
msal==1.26.0
msal-extensions==1.1.0
msrest==0.7.1
msrestazure==0.6.4
munch==4.0.0
netaddr==0.7.20
netifaces==0.11.0
oauthlib==3.2.2
openstacksdk==0.52.0
os-service-types==1.7.0
packaging==23.2
pbr==6.0.0
portalocker==2.8.2
proto-plus==1.23.0
protobuf==4.25.2
pyasn1==0.5.1
pyasn1-modules==0.3.0
pycparser==2.21
pyparsing==3.1.1
pyrate-limiter==2.10.0
python-dateutil==2.8.2
pytz==2023.3.post1
pyyaml==6.0.1
referencing==0.31.1
requests==2.31.0
requests-oauthlib==1.3.1
requestsexceptions==1.4.0
retrying==1.3.4
rpds-py==0.17.1
rsa==4.9
s3transfer==0.10.0
six==1.16.0
sniffio==1.3.0
stevedore==5.1.0
tabulate==0.9.0
typing-extensions==4.9.0
tzlocal==5.2
uritemplate==4.1.1
urllib3==1.26.18
websocket-client==1.7.0
zipp==3.17.0

Policy

policies:
  - name: s3-policy
    resource: s3
    filters:
      - Name: c7n-test-policy
      - or:
        - type: cross-account
          whitelist:
          - "123456789012"

Relevant log/traceback output

custodian.iamaccess:WARNING no handler:handle_s3_dataaccesspointaccount op:StringEquals key:s3:dataaccesspointaccount values: ('123456789012',)

custodian.iamaccess:WARNING no handler:handle_s3_dataaccesspointarn op:StringEquals key:s3:dataaccesspointarn values: ('arn:aws:s3:us-east-1:123456789012:accesspoint/testaccesspoint',)

custodian.iamaccess:WARNING no handler:handle_s3_x_amz_acl op:StringEquals key:s3:x-amz-acl values: ('bucket-owner-full-control',)

Extra information or context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature/s3 data access points handlers JessMartin123/cloud-custodian
1 participant
@JessMartin123