-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unrestricted S3 permissions for shares with consumer role #1226
Labels
Comments
@dlpzx @noah-paige I will add more details once i test the behavior in detail. |
Verified that the dataset sharing policy added to consumption role is listing the actions as s3:*. This must be restricted to read only s3 permissions. |
SofiaSazonova
pushed a commit
that referenced
this issue
May 16, 2024
…sharing policy (#1262) ### Feature or Bugfix - Bugfix ### Detail - This PR will address the issue - 1226 - Now permissions match S3 ReadOnly policy - iam policy for consumption role is needed for crossaccount sharing ### Relates - [<URL or Ticket>](#1226) ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? N/A - Is the input sanitized? N/A - What precautions are you taking before deserializing the data you consume? N/A - Is injection prevented by parametrizing queries? N/A - Have you ensured no `eval` or similar functions are used? N/A - Does this PR introduce any functionality or component that requires authorization? N/A - How have you ensured it respects the existing AuthN/AuthZ mechanisms? N/A - Are you logging failed auth attempts? N/A - Are you using or adding any cryptographic features? N/A - Do you use a standard proven implementations? Yes - Are the used keys controlled by the customer? Where are they stored? N/A - Are you introducing any new policies/roles/users? No - Have you used the least-privilege principle? How? Yes, restricted the s3:* permissions to s3 readonly permissions By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
noah-paige
added
type: enhancement
Feature enhacement
priority: high
effort: medium
labels
May 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Currently when a share is created for the consumer role, dataall automatically adds s3* permissions on the share. This must be restricted to read permissions only.
How to Reproduce
Create a consumer role and then create a data share. Check the IAM role policies for the consumer role to verify the s3 permissions added for the share.
Expected behavior
The consumer role should be updated to add only S3 read permissions when a share is created.
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.10
AWS data.all version
2.4
Additional context
No response
The text was updated successfully, but these errors were encountered: