Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unrestricted S3 permissions for shares with consumer role #1226

Closed
mourya-33 opened this issue Apr 26, 2024 · 2 comments · Fixed by #1280
Closed

Unrestricted S3 permissions for shares with consumer role #1226

mourya-33 opened this issue Apr 26, 2024 · 2 comments · Fixed by #1280
Labels
effort: medium priority: high type: enhancement Feature enhacement

Comments

@mourya-33
Copy link
Contributor

Describe the bug

Currently when a share is created for the consumer role, dataall automatically adds s3* permissions on the share. This must be restricted to read permissions only.

How to Reproduce

Create a consumer role and then create a data share. Check the IAM role policies for the consumer role to verify the s3 permissions added for the share.

Expected behavior

The consumer role should be updated to add only S3 read permissions when a share is created.

Your project

No response

Screenshots

No response

OS

Mac

Python version

3.10

AWS data.all version

2.4

Additional context

No response
@mourya-33
Copy link
Contributor Author

@dlpzx @noah-paige I will add more details once i test the behavior in detail.

@mourya-33
Copy link
Contributor Author

Verified that the dataset sharing policy added to consumption role is listing the actions as s3:*. This must be restricted to read only s3 permissions.

@mourya-33 mourya-33 mentioned this issue May 9, 2024
Merged
SofiaSazonova pushed a commit that referenced this issue May 16, 2024
@mourya-33
Restrict S3 permissions to readonly for iam consumption role dataset …
a4af747 
…sharing policy (#1262)


### Feature or Bugfix
- Bugfix

### Detail
- This PR will address the issue - 1226
- Now permissions match S3 ReadOnly policy
- iam policy for consumption role is needed for crossaccount sharing

### Relates
- [<URL or Ticket>](#1226)

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)? N/A
  - Is the input sanitized? N/A
- What precautions are you taking before deserializing the data you
consume? N/A
  - Is injection prevented by parametrizing queries? N/A
  - Have you ensured no `eval` or similar functions are used? N/A
- Does this PR introduce any functionality or component that requires
authorization? N/A
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
N/A
  - Are you logging failed auth attempts? N/A
- Are you using or adding any cryptographic features? N/A
  - Do you use a standard proven implementations? Yes
- Are the used keys controlled by the customer? Where are they stored?
N/A
- Are you introducing any new policies/roles/users? No
- Have you used the least-privilege principle? How? Yes, restricted the
s3:* permissions to s3 readonly permissions


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
@noah-paige noah-paige linked a pull request May 21, 2024 that will close this issue
Scope down dataset sharing requester IAM role managed IAM policy S3 permissions #1280
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort: medium priority: high type: enhancement Feature enhacement
Projects
None yet
Milestone
No milestone
2 participants
@noah-paige @mourya-33