chore: ensure tls required on s3 buckets

Ensure that non-TLS connections are denied to S3 buckets via policy. Required for compliance. Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
2024-07-16 13:11:05 +02:00 · 2024-07-16 13:11:05 +02:00 · d52b89cb91
commit d52b89cb91
parent c288ace7b1
1 changed files with 32 additions and 0 deletions
--- a/hack/cloud-image-uploader/aws.go
+++ b/hack/cloud-image-uploader/aws.go
@ -22,6 +22,28 @@ import (
 	"golang.org/x/sync/errgroup"
 )

+var denyInsecurePolicyTemplate = `{
+  "Id": "ExamplePolicy",
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowSSLRequestsOnly",
+      "Action": "s3:*",
+      "Effect": "Deny",
+      "Resource": [
+        "arn:aws:s3:::%s",
+        "arn:aws:s3:::%s/*"
+      ],
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      },
+      "Principal": "*"
+    }
+  ]
+}`
+
 // GetAWSDefaultRegions returns a list of regions which are enabled for this account.
 func GetAWSDefaultRegions() ([]string, error) {
 	sess, err := session.NewSession(&aws.Config{
@ -139,6 +161,16 @@ func (au *AWSUploader) registerAMI(ctx context.Context, region string, svc *ec2.
 		}
 	}()

+	_, err = s3Svc.PutBucketPolicyWithContext(ctx, &s3.PutBucketPolicyInput{
+		Bucket: aws.String(bucketName),
+		Policy: aws.String(fmt.Sprintf(denyInsecurePolicyTemplate, bucketName, bucketName)),
+	})
+	if err != nil {
+		return fmt.Errorf("failed applying S3 bucket policy: %w", err)
+	}
+
+	log.Printf("aws: applied policy to bucket %q", bucketName)
+
 	uploader := s3manager.NewUploaderWithClient(s3Svc)

 	var g errgroup.Group