From df03cdf93e84d5b0b985e0cc01e2d12ca9095313 Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Tue, 3 Dec 2024 21:31:40 +0100 Subject: [PATCH] Add bucket policies to Kubernetes infra s3 buckets Signed-off-by: Mikkel Oscar Lyderik Larsen --- cluster/cluster.yaml | 18 +++++++++---- cluster/config-defaults.yaml | 10 ++++++++ cluster/etcd/stack.yaml | 49 ++++++++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+), 5 deletions(-) diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml index b953dbb6b9..8f48957b5d 100644 --- a/cluster/cluster.yaml +++ b/cluster/cluster.yaml @@ -1041,7 +1041,6 @@ Resources: - "{{.Cluster.ConfigItems.deployment_service_api_role_arn}}" {{- end }} - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint" - - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator" - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator" DeploymentControllerRole: Type: AWS::IAM::Role @@ -2218,6 +2217,19 @@ Resources: - !Sub - "${BucketArn}/*" - BucketArn: !GetAtt AuditTrailBucket.Arn + - Action: "s3:*" + Effect: Deny + Resource: + - !Sub "arn:aws:s3:::${AuditTrailBucket}/*" + - !Sub "arn:aws:s3:::${AuditTrailBucket}" + Principal: "*" + Condition: + ArnNotEquals: + aws:PrincipalArn: + - !GetAtt EmergencyAccessServiceIAMRole.Arn + - !GetAtt AudittrailAdapterIAMRole.Arn + - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint" + - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator" {{- if .Cluster.ConfigItems.audittrail_root_account_role }} # Central access @@ -2420,7 +2432,6 @@ Resources: Principal: AWS: - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint" - - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator" - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator" Action: - "kms:*" @@ -2458,7 +2469,6 @@ Resources: Effect: "Allow" Principal: AWS: - - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator" - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator" Action: - "kms:*" @@ -2496,7 +2506,6 @@ Resources: Principal: AWS: - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint" - - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator" - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator" Action: - "kms:*" @@ -2533,7 +2542,6 @@ Resources: Principal: AWS: - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint" - - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator" - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator" Action: - "kms:*" diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml index 58fd3fa856..925adc5388 100644 --- a/cluster/config-defaults.yaml +++ b/cluster/config-defaults.yaml @@ -718,6 +718,16 @@ etcd_scalyr_key: "" etcd_ami: {{ amiID "zalando-ubuntu-etcd-production-v3.5.13-amd64-main-34" "861068367966"}} +# Enable/Disable bucket policy on the etcd bucket to limit access to the local +# cluster. +# This can be disabled in environments where multiple clusters share a single +# etcd instance e.g. e2e and dev environments. +{{if eq .Cluster.Environment "e2e"}} +etcd_backup_bucket_policy: "false" +{{else}} +etcd_backup_bucket_policy: "true" +{{end}} + cluster_dns: "coredns" coredns_log_svc_names: "true" coredns_log_forward: "false" diff --git a/cluster/etcd/stack.yaml b/cluster/etcd/stack.yaml index c0b3fc81c0..54c72c1f46 100644 --- a/cluster/etcd/stack.yaml +++ b/cluster/etcd/stack.yaml @@ -206,6 +206,55 @@ Resources: Status: Enabled VersioningConfiguration: Status: Suspended +{{- if .Cluster.ConfigItems.etcd_backup_bucket_policy "true" }} + EtcdBackupBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref EtcdBackupBucket + PolicyDocument: + Statement: + # In-cluster access + - Action: + - s3:ListBucket + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::${AWS::AccountId}:role/{{.Cluster.LocalID}}-etcd-backup" + Resource: + - !GetAtt EtcdBackupBucket.Arn + - Action: + - s3:PutObject + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::${AWS::AccountId}:role/{{.Cluster.LocalID}}-etcd-backup" + Resource: + - !Sub + - "${BucketArn}/*" + - BucketArn: !GetAtt EtcdBackupBucket.Arn + - Action: + - s3:ListObjects + - s3:PutObject + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::${AWS::AccountId}:role/{{.Cluster.LocalID}}-etcd-backup" + Resource: + - !Sub + - "${BucketArn}/*" + - BucketArn: !GetAtt EtcdBackupBucket.Arn + - Action: "s3:*" + Effect: Deny + Resource: + - !Sub "arn:aws:s3:::${EtcdBackupBucket}/*" + - !Sub "arn:aws:s3:::${EtcdBackupBucket}" + Principal: "*" + Condition: + ArnNotEquals: + aws:PrincipalArn: + - "arn:aws:iam::${AWS::AccountId}:role/{{.Cluster.LocalID}}-etcd-backup" + - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator" +{{- end }} EtcdRole: Type: AWS::IAM::Role Properties: