Skip to content

Commit

Permalink
chore: ensure tls required on s3 buckets
Browse files Browse the repository at this point in the history
Ensure that non-TLS connections are denied to S3 buckets via policy.
Required for compliance.

Signed-off-by: Tim Jones <[email protected]>
  • Loading branch information
TimJones committed Jul 17, 2024
1 parent c288ace commit d52b89c
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions hack/cloud-image-uploader/aws.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,28 @@ import (
"golang.org/x/sync/errgroup"
)

var denyInsecurePolicyTemplate = `{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::%s",
"arn:aws:s3:::%s/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}`

// GetAWSDefaultRegions returns a list of regions which are enabled for this account.
func GetAWSDefaultRegions() ([]string, error) {
sess, err := session.NewSession(&aws.Config{
Expand Down Expand Up @@ -139,6 +161,16 @@ func (au *AWSUploader) registerAMI(ctx context.Context, region string, svc *ec2.
}
}()

_, err = s3Svc.PutBucketPolicyWithContext(ctx, &s3.PutBucketPolicyInput{
Bucket: aws.String(bucketName),
Policy: aws.String(fmt.Sprintf(denyInsecurePolicyTemplate, bucketName, bucketName)),
})
if err != nil {
return fmt.Errorf("failed applying S3 bucket policy: %w", err)
}

log.Printf("aws: applied policy to bucket %q", bucketName)

uploader := s3manager.NewUploaderWithClient(s3Svc)

var g errgroup.Group
Expand Down

0 comments on commit d52b89c

Please sign in to comment.