Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-s3/notifications-resource: Scope down S3 bucket notifications lambda permission to only buckets it interacts with #27234

Closed
1 of 2 tasks
faridnsh opened this issue Sep 21, 2023 · 3 comments
Closed
1 of 2 tasks

aws-s3/notifications-resource: Scope down S3 bucket notifications lambda permission to only buckets it interacts with #27234

faridnsh opened this issue Sep 21, 2023 · 3 comments
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-review p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@faridnsh
Copy link

Describe the feature

This lambda function(permission defined here) allows s3:PutBucketNotification with any bucket and we would need it to be only the buckets it actually sets the notification up with.

Use Case

Following security best practices of scoping down permissions.

Proposed Solution

I'm thinking we can move out the s3:PutBucketNotification permission definition from the notifications-resource-handler and move it to where we try to create it given a bucket.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

v2.96.2

Environment details (OS name and version, etc.)

any
@faridnsh faridnsh added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 21, 2023
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Sep 21, 2023
@khushail
Copy link
Contributor

khushail commented Sep 21, 2023
edited
Loading

Hi @alFReD-NSH , thanks for reaching out. There is another past request that is quite similar to what you have asked for.

A brief explanation of why "*" is used for resources is given here. A workaround is also mentioned in the follw-up comments in this shared issue.
Pls feel free to share your inputs as well.

@khushail khushail added p1 effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. needs-review and removed needs-triage This issue or PR still needs to be triaged. p1 labels Sep 21, 2023
@peterwoodworth
Copy link
Contributor

peterwoodworth commented Sep 21, 2023
edited
Loading

Will prefer to reopen original thread, thanks for bringing this up and thanks @khushail for the investigating

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-review p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@faridnsh @peterwoodworth @khushail