alt-orchestra/talos
1
0
Fork 0
Code Issues Pull Requests Actions 27 Packages Projects Releases Wiki Activity

chore: ensure tls required on s3 buckets

Browse Source 
Ensure that non-TLS connections are denied to S3 buckets via policy.
Required for compliance.

Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
This commit is contained in:
Tim Jones 2024-07-16 13:11:05 +02:00
parent c288ace7b1
commit d52b89cb91
No known key found for this signature in database
GPG Key ID: A2A702DD5B689F45
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
hack/cloud-image-uploader/aws.go
View File

@ -22,6 +22,28 @@ import (
"golang.org/x/sync/errgroup" "golang.org/x/sync/errgroup"
) )
var denyInsecurePolicyTemplate = `{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::%s",
"arn:aws:s3:::%s/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}`
// GetAWSDefaultRegions returns a list of regions which are enabled for this account. // GetAWSDefaultRegions returns a list of regions which are enabled for this account.
func GetAWSDefaultRegions() ([]string, error) { func GetAWSDefaultRegions() ([]string, error) {
sess, err := session.NewSession(&aws.Config{ sess, err := session.NewSession(&aws.Config{
@ -139,6 +161,16 @@ func (au *AWSUploader) registerAMI(ctx context.Context, region string, svc *ec2.
} }
}() }()
_, err = s3Svc.PutBucketPolicyWithContext(ctx, &s3.PutBucketPolicyInput{
Bucket: aws.String(bucketName),
Policy: aws.String(fmt.Sprintf(denyInsecurePolicyTemplate, bucketName, bucketName)),
})
if err != nil {
return fmt.Errorf("failed applying S3 bucket policy: %w", err)
}
log.Printf("aws: applied policy to bucket %q", bucketName)
uploader := s3manager.NewUploaderWithClient(s3Svc) uploader := s3manager.NewUploaderWithClient(s3Svc)
var g errgroup.Group var g errgroup.Group