From 53581cf513f0e0d460128798aa41d5996ebf79d2 Mon Sep 17 00:00:00 2001 From: Mike Roark Date: Mon, 22 Jul 2024 16:50:41 -0500 Subject: [PATCH 1/7] For testing --- CHANGELOG.md | 4 ++++ templates/apiary-bucket-policy.json | 23 ++++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d14d910..ac4a6d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [7.2.2] - 2024-07-22 +### Fixed +- [Issue 266](https://github.com/ExpediaGroup/apiary-data-lake/issues/266) Apiary bucket policies over-enforce encryption + ## [7.2.1] - 2024-07-01 ### Added - Issue where requests can hit 10min connection timeout, TCP keepalive prevents NLB closing idle connections. Similar to the issue explained here: https://paramount.tech/blog/2021/07/26/mitigation-of-connection-reset-in-aws.html diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json index da4422d..7ebeb92 100644 --- a/templates/apiary-bucket-policy.json +++ b/templates/apiary-bucket-policy.json @@ -219,20 +219,33 @@ "aws:SecureTransport": "false" } } + } +%{if encryption == "AES256"} + { + "Sid": "DenyKMSAndDSSE", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${bucket_name}/*", + "Condition": { + "StringLike": { + "s3:x-amz-server-side-encryption": "aws:kms*" + } + } }, { - "Sid": "DenyIncorrectEncryptionHeader", + "Sid": "DenySSEC", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::${bucket_name}/*", "Condition": { - "StringNotEquals": { - "s3:x-amz-server-side-encryption": "${encryption}" - } + "Null": { + "s3:x-amz-server-side-encryption-customer-algorithm": "false" + } } }, -%{if kms_key_arn != ""} +%{else} { "Sid": "DenyWrongKMSKey", "Effect": "Deny", From 6f844c8e19c78455c4f4c457d92f4385f2147c2e Mon Sep 17 00:00:00 2001 From: mroark1m Date: Mon, 22 Jul 2024 17:43:45 -0500 Subject: [PATCH 2/7] Adding in kms enforcement when needed --- templates/apiary-bucket-policy.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json index 7ebeb92..7ffc44e 100644 --- a/templates/apiary-bucket-policy.json +++ b/templates/apiary-bucket-policy.json @@ -246,6 +246,18 @@ } }, %{else} + { + "Sid": "DenyNonKMS", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${bucket_name}/*", + "Condition": { + "StringNotEquals": { + "s3:x-amz-server-side-encryption": "aws:kms" + } + } + }, { "Sid": "DenyWrongKMSKey", "Effect": "Deny", From cee9d08044e19c426034503fa883d73baa5c0401 Mon Sep 17 00:00:00 2001 From: Abhimanyu Gupta Date: Tue, 23 Jul 2024 09:30:53 +0100 Subject: [PATCH 3/7] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac4a6d1..b8122d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [7.2.2] - 2024-07-22 +## [7.2.2] - 2024-07-23 ### Fixed - [Issue 266](https://github.com/ExpediaGroup/apiary-data-lake/issues/266) Apiary bucket policies over-enforce encryption From 6fda6b6a97285aa4eba93ecbd25ac41c1e3dfea5 Mon Sep 17 00:00:00 2001 From: mroark1m Date: Tue, 23 Jul 2024 15:18:01 -0500 Subject: [PATCH 4/7] missing comma --- templates/apiary-bucket-policy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json index 7ffc44e..6858776 100644 --- a/templates/apiary-bucket-policy.json +++ b/templates/apiary-bucket-policy.json @@ -219,7 +219,7 @@ "aws:SecureTransport": "false" } } - } + }, %{if encryption == "AES256"} { "Sid": "DenyKMSAndDSSE", From abc5d16e33366506784f621aeb3d7861b38c6f42 Mon Sep 17 00:00:00 2001 From: mroark1m Date: Tue, 23 Jul 2024 15:49:44 -0500 Subject: [PATCH 5/7] removing the DenyUnEncryptedObjectUploads statement completely --- templates/apiary-bucket-policy.json | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json index 6858776..6017805 100644 --- a/templates/apiary-bucket-policy.json +++ b/templates/apiary-bucket-policy.json @@ -244,7 +244,7 @@ "s3:x-amz-server-side-encryption-customer-algorithm": "false" } } - }, + } %{else} { "Sid": "DenyNonKMS", @@ -269,19 +269,7 @@ "s3:x-amz-server-side-encryption-aws-kms-key-id": "${kms_key_arn}" } } - }, -%{endif} - { - "Sid": "DenyUnEncryptedObjectUploads", - "Effect": "Deny", - "Principal": "*", - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::${bucket_name}/*", - "Condition": { - "Null": { - "s3:x-amz-server-side-encryption": "true" - } - } } +%{endif} ] } From 8c40261813ff237be1f68fce30b315f6f047f417 Mon Sep 17 00:00:00 2001 From: mroark1m Date: Tue, 23 Jul 2024 16:17:33 -0500 Subject: [PATCH 6/7] Update apiary-bucket-policy.json --- templates/apiary-bucket-policy.json | 30 ++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json index 6017805..57a49db 100644 --- a/templates/apiary-bucket-policy.json +++ b/templates/apiary-bucket-policy.json @@ -247,16 +247,16 @@ } %{else} { - "Sid": "DenyNonKMS", - "Effect": "Deny", - "Principal": "*", - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::${bucket_name}/*", - "Condition": { - "StringNotEquals": { - "s3:x-amz-server-side-encryption": "aws:kms" + "Sid": "DenyIncorrectEncryptionHeader", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${bucket_name}/*", + "Condition": { + "StringNotEquals": { + "s3:x-amz-server-side-encryption": "aws:kms" + } } - } }, { "Sid": "DenyWrongKMSKey", @@ -269,6 +269,18 @@ "s3:x-amz-server-side-encryption-aws-kms-key-id": "${kms_key_arn}" } } + }, + { + "Sid": "DenyUnEncryptedObjectUploads", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${bucket_name}/*", + "Condition": { + "Null": { + "s3:x-amz-server-side-encryption": "true" + } + } } %{endif} ] From e1d29cea5356e050f31a69e3c7af5ac1f47f9837 Mon Sep 17 00:00:00 2001 From: mroark1m Date: Tue, 23 Jul 2024 16:19:06 -0500 Subject: [PATCH 7/7] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b8122d1..7fcd884 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [7.2.2] - 2024-07-23 +## [7.2.2] - 2024-07-24 ### Fixed - [Issue 266](https://github.com/ExpediaGroup/apiary-data-lake/issues/266) Apiary bucket policies over-enforce encryption