
Show HN: Provision AWS S3 buckets safely with least privilege using Terraform - skuenzli
https://github.com/k9securityio/tf_s3_bucket
======
skuenzli
(Author & k9 Security Founder)

Thanks for taking a look at our Terraform module designed to help Cloud teams
protect data in AWS S3, quickly and confidently. Feedback appreciated :)

We are trying to improve the usability of Cloud security.

Specifically, we've heard that the AWS security model is too complex and
difficult to validate.

Configuring a least privilege bucket policy is amongst the most difficult AWS
security challenges and a problem we're trying to solve for non-security
experts.

Do you feel like this module makes it easy to understand what access the
author _intends_ to grant? What makes that difficult?

Thanks!

Stephen

~~~
zerotolerance
> 1\. configure several distinct S3 resources: the bucket, the bucket policy,
> 'block public access' configurations >2\. create security policies that
> allow access by authorized principals and denies everyone else >3\. adjust
> standard Terraform resource configurations which generally mirror AWS API
> defaults to current best practice >4\. capture enough context to scale
> security, governance, risk, and compliance activities efficiently

I feel like the biggest challenge is awareness of these problems. People
usually do just enough to "make it work." I just kicked the tires on this
module and it "made it work" out of the box.

How do you see people managing a "migration" to this module?

~~~
skuenzli
Thanks for the feedback!

 _re Problem Awareness_

I agree being aware that your security policy doesn't do what you think it
does is definitely a problem. We're working on that too with reports of your
actual, effective access and educational materials.

Let's illustrate this problem with an example. Many people don't realize the
problems around using IAM policies with wildcard resource conditions. This
results in incidents like a role for a firewall application having access to
unrelated data for a credit application.

A principal (IAM user or role) with an IAM security policy that allows calling
an api action like `s3:GetObject` to all resources means that principal can
access objects inside _any_ bucket within the AWS account by default.

This DenyEveryoneElse statement:
[https://github.com/k9securityio/tf_s3_bucket/blob/master/exa...](https://github.com/k9securityio/tf_s3_bucket/blob/master/examples/generated.least_privilege_policy.json#L123)

prevents access by unauthorized principals at the bucket level.

 _re Migration_

There are at least two ways to migrate to this module:

First, if you are already using Terraform and want to try out a better bucket
policy, you can use the policy submodule directly. This is described in the
README and demonstrated in the tests:
[https://github.com/k9securityio/tf_s3_bucket/blob/master/tes...](https://github.com/k9securityio/tf_s3_bucket/blob/master/test/fixtures/minimal/minimal.tf#L111)

Second, if you want to migrate an existing bucket into this Terraform module,
you can use `terraform import` or `terraform mv` to migrate the AWS bucket
resource into a new Terraform module definition.

I'd be happy to speak with you and anyone else about AWS security problems.
Contact info in profile.

