Skip to content

Commit

Permalink
Merge pull request #250 from RomaricKanyamibwa/pr/update-api
Browse files Browse the repository at this point in the history 
Stop requiring --sse=AES256 when uploading to S3
  • Loading branch information
@RomaricKanyamibwa
RomaricKanyamibwa authored Jun 20, 2024
2 parents 2f687cf + 1795c74 commit 63904be
Show file tree
Hide file tree
Showing 15 changed files with 1 addition and 406 deletions.
44 changes: 0 additions & 44 deletions src/e3/aws/troposphere/s3/bucket.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,6 @@

if TYPE_CHECKING:
from e3.aws.troposphere import Stack
from e3.aws.troposphere.iam.policy_statement import ConditionType

from typing import Any


Expand Down Expand Up @@ -87,48 +85,6 @@ def __init__(
self.authorized_encryptions
), "At least one authorized s3 encryption should be provided"

# The one element case is needed for retrocompatibility
# with stacks deployed with older versions of e3-aws
condition: ConditionType
if len(self.authorized_encryptions) == 1:
condition = {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": self.authorized_encryptions[
0
].value
}
}
else:
condition = {
"ForAllValues:StringNotEquals": {
"s3:x-amz-server-side-encryption": [
enc.value for enc in self.authorized_encryptions
]
}
}

self.policy_statements.extend(
[
# Deny to store object not encrypted with AES256 encryption
PolicyStatement(
action="s3:PutObject",
effect="Deny",
resource=self.all_objects_arn,
principal={"AWS": "*"},
condition=condition,
),
# Deny to store non encrypted objects
# (??? do we really need that statement)
PolicyStatement(
action="s3:PutObject",
effect="Deny",
resource=self.all_objects_arn,
principal={"AWS": "*"},
condition={"Null": {"s3:x-amz-server-side-encryption": "true"}},
),
]
)

@property
def policy_document(self) -> PolicyDocument:
"""Return PolicyDocument to be attached to the bucket."""
Expand Down
20 changes: 0 additions & 20 deletions tests/tests_e3_aws/troposphere/config/config_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,26 +162,6 @@
"Resource": "arn:aws:s3:::config-test-bucket/*",
"Condition": {"Bool": {"aws:SecureTransport": "false"}},
},
{
"Effect": "Deny",
"Principal": {"AWS": "*"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::config-test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
},
},
{
"Effect": "Deny",
"Principal": {"AWS": "*"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::config-test-bucket/*",
"Condition": {
"Null": {"s3:x-amz-server-side-encryption": "true"}
},
},
{
"Effect": "Allow",
"Principal": {"Service": "config.amazonaws.com"},
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket-with-roles-trusted-accounts.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,32 +44,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket-with-roles-trusted-policies.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,32 +44,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket-with-roles.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,32 +44,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,32 +109,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
29 changes: 0 additions & 29 deletions tests/tests_e3_aws/troposphere/s3/bucket_multi_encryption.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,35 +35,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"s3:x-amz-server-side-encryption": [
"AES256",
"aws:kms"
]
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket_notification_string_arns.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,32 +64,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
28 changes: 1 addition & 27 deletions tests/tests_e3_aws/troposphere/s3/bucket_with_object_lock_kwargs.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,36 +45,10 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
},
"Type": "AWS::S3::BucketPolicy"
}
}
}
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3websitedistribution.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,32 +45,6 @@
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::host-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::host-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Effect": "Allow",
"Principal": {
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3websitedistribution_bucket.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,32 +45,6 @@
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::host-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::host-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Effect": "Allow",
"Principal": {
Expand Down
Loading

0 comments on commit 63904be

Please sign in to comment.