Home > Software engineering >  I have a Query about AWS S3 bucket policy
I have a Query about AWS S3 bucket policy

Time:03-31

I have a AWS S3 bucket in account A, This bucket was created by AWS Control Tower. And used for collecting logs from all other account in my org,

I was trying to understand the bucket policy which is something like this

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1",
                "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "AWSBucketPermissionsCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "config.amazonaws.com",
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
        },
        {
            "Sid": "AWSConfigBucketExistenceCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "config.amazonaws.com",
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
        },
        {
            "Sid": "AWSBucketDelivery",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "config.amazonaws.com",
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
        }
    ]
}

Now all other account in my org are able to dump there cloudtrail logs within this S3. But i dont get one thing, i did not specified any particular or individual account number, but still other accounts are able to write content in this bucket, Although i do see the principal which mentions relevant service name that can dump, but should,nt it only for this account itself ?

CodePudding user response:

Let's analyze the rules one by one:

The first rule only says that no access without SSL is possible, it says does nothing if SSL layer is present:

 {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowSSLRequestsOnly",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1",
            "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/*"
        ],
        "Condition": {
            "Bool": {
                "aws:SecureTransport": "false"
            }
        }
    },

The next two actions allow only read:

    {
        "Sid": "AWSBucketPermissionsCheck",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "config.amazonaws.com",
                "cloudtrail.amazonaws.com"
            ]
        },
        "Action": "s3:GetBucketAcl",
        "Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
    },
    {
        "Sid": "AWSConfigBucketExistenceCheck",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "config.amazonaws.com",
                "cloudtrail.amazonaws.com"
            ]
        },
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
    },

So the only action which allows any writing is this one:

    {
        "Sid": "AWSBucketDelivery",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "config.amazonaws.com",
                "cloudtrail.amazonaws.com"
            ]
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
    }
]
}

And it says the following: You can put object under /o-1234/AWSLogs as long as you are one of the following two AWS services: Config or Cloudtrail.

Clearly, if knowing the bucket name and the org ID allows me to persuade Config or Cloudtrail to use that bucket I cannot see anything what would stop me from doing that except from some internal protection inside those services.

Based on this document:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-set-bucket-policy-for-multiple-accounts.html

It seems that for allowing an account 111111111111 to write to that bucket you should use the following ARN pattern: "arn:aws:s3:::myBucketName/optionalLogFilePrefix/AWSLogs/111111111111/*",

So while the answer provided by @izayoi does not provide any explanation, it is still correct. Cloudtrail service should guarantee you that it will always use that account id in the log, so you can narrow down the access by listing all your account numbers. Of course, it must be updated with every each new account.

Conclusion: Yes, knowing the bucket name and your organization ID should allow every AWS account in the world to use your bucket for Cloudtrail logging with the current policy...interesting. I would probably go with listing your account numbers.

CodePudding user response:

"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"

The 1st "*" enables all account numbers.

  • Related