Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Provision AWS S3 buckets safely with least privilege using Terraform (github.com)
7 points by skuenzli 20 days ago | hide | past | web | favorite | 3 comments

(Author & k9 Security Founder)

Thanks for taking a look at our Terraform module designed to help Cloud teams protect data in AWS S3, quickly and confidently. Feedback appreciated :)

We are trying to improve the usability of Cloud security.

Specifically, we've heard that the AWS security model is too complex and difficult to validate.

Configuring a least privilege bucket policy is amongst the most difficult AWS security challenges and a problem we're trying to solve for non-security experts.

Do you feel like this module makes it easy to understand what access the author intends to grant? What makes that difficult?



> 1. configure several distinct S3 resources: the bucket, the bucket policy, 'block public access' configurations >2. create security policies that allow access by authorized principals and denies everyone else >3. adjust standard Terraform resource configurations which generally mirror AWS API defaults to current best practice >4. capture enough context to scale security, governance, risk, and compliance activities efficiently

I feel like the biggest challenge is awareness of these problems. People usually do just enough to "make it work." I just kicked the tires on this module and it "made it work" out of the box.

How do you see people managing a "migration" to this module?

Thanks for the feedback!

re Problem Awareness

I agree being aware that your security policy doesn't do what you think it does is definitely a problem. We're working on that too with reports of your actual, effective access and educational materials.

Let's illustrate this problem with an example. Many people don't realize the problems around using IAM policies with wildcard resource conditions. This results in incidents like a role for a firewall application having access to unrelated data for a credit application.

A principal (IAM user or role) with an IAM security policy that allows calling an api action like `s3:GetObject` to all resources means that principal can access objects inside any bucket within the AWS account by default.

This DenyEveryoneElse statement: https://github.com/k9securityio/tf_s3_bucket/blob/master/exa...

prevents access by unauthorized principals at the bucket level.

re Migration

There are at least two ways to migrate to this module:

First, if you are already using Terraform and want to try out a better bucket policy, you can use the policy submodule directly. This is described in the README and demonstrated in the tests: https://github.com/k9securityio/tf_s3_bucket/blob/master/tes...

Second, if you want to migrate an existing bucket into this Terraform module, you can use `terraform import` or `terraform mv` to migrate the AWS bucket resource into a new Terraform module definition.

I'd be happy to speak with you and anyone else about AWS security problems. Contact info in profile.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact