| Thanks for the feedback! re Problem Awareness I agree being aware that your security policy doesn't do what you think it does is definitely a problem. We're working on that too with reports of your actual, effective access and educational materials. Let's illustrate this problem with an example. Many people don't realize the problems around using IAM policies with wildcard resource conditions. This results in incidents like a role for a firewall application having access to unrelated data for a credit application. A principal (IAM user or role) with an IAM security policy that allows calling an api action like `s3:GetObject` to all resources means that principal can access objects inside any bucket within the AWS account by default. This DenyEveryoneElse statement:
https://github.com/k9securityio/tf_s3_bucket/blob/master/exa... prevents access by unauthorized principals at the bucket level. re Migration There are at least two ways to migrate to this module: First, if you are already using Terraform and want to try out a better bucket policy, you can use the policy submodule directly. This is described in the README and demonstrated in the tests:
https://github.com/k9securityio/tf_s3_bucket/blob/master/tes... Second, if you want to migrate an existing bucket into this Terraform module, you can use `terraform import` or `terraform mv` to migrate the AWS bucket resource into a new Terraform module definition. I'd be happy to speak with you and anyone else about AWS security problems. Contact info in profile. |