Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minor cleanups #50

Merged
merged 2 commits into from
Apr 15, 2024
Merged

Minor cleanups #50

merged 2 commits into from
Apr 15, 2024

Conversation

Nuru
Copy link
Sponsor Contributor

@Nuru Nuru commented Apr 15, 2024
edited

what

Minor fixes to several SCPs

  • DenyLambdaWithoutVpc was previously invalid. It is now valid, but has not been thoroughly tested to ensure it does what it promises.
  • DenyRDSUnencrypted was fixed to deny rds:RestoreDBClusterFromSnapshot when not encrypted. Previously this action was not denied, and instead the nonexistent RestoreDBClusterFromDBSnapshot was denied
  • The DenyS3BucketsPublicAccess policy was cleaned up by eliminating the nonexistent s3:DeletePublicAccessBlock action. Note that it still is probably not something you want to use, because it denies enabling a public access block as well as removing one. We hope to have a better policy in the future.
  • The Region Restriction Templates DenyRegions and RestrictToSpecifiedRegions were updated to exclude the account, artifact, and supportplans services from region restrictions, since they are global services. The obsolete awsbillingconsole service was removed.
  • DenyS3InNonSelectedRegion was fixed to allow users to allow S3 bucket creation in us-east-1. Previously us-east-1 was always prohibited even when expressly allowed, due to quirks in S3.

why

  • Restore intended behavior

references

@Nuru Nuru added the bugfix Change that restores intended behavior label Apr 15, 2024
@Nuru Nuru requested review from a team as code owners April 15, 2024 02:01
@Nuru Nuru requested review from kevcube, Gowiem and hans-d April 15, 2024 02:01
@Nuru Nuru mentioned this pull request Apr 15, 2024
Closed
@Nuru Nuru enabled auto-merge (squash) April 15, 2024 02:30
dudymas
dudymas approved these changes Apr 15, 2024
View reviewed changes
Copy link

@dudymas dudymas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

for what it's worth, DeletePublicAccessBlock does require PUT permissions so you don't need to keep it in the deny policy, but you can always leave it in the policy to help folks know that it's denied.

@Nuru Nuru merged commit 5bfeb94 into main Apr 15, 2024
10 checks passed
@Nuru Nuru deleted the cleanups branch April 15, 2024 10:46
@Nuru
Copy link
Sponsor Contributor Author

Nuru commented Apr 15, 2024
edited

LGTM

for what it's worth, DeletePublicAccessBlock does require PUT permissions so you don't need to keep it in the deny policy, but you can always leave it in the policy to help folks know that it's denied.

DeletePublicAccessBlock is not a valid IAM permission and, when given the opportunity, policy validators complain about it, which is why I removed it. Like you said, the DeletePublicAccessBlock action requires the PutBucketPublicAccessBlock permission. (ref)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dudymas dudymas dudymas approved these changes

@kevcube kevcube Awaiting requested review from kevcube kevcube is a code owner automatically assigned from cloudposse/contributors

@Gowiem Gowiem Awaiting requested review from Gowiem Gowiem is a code owner automatically assigned from cloudposse/contributors

@hans-d hans-d Awaiting requested review from hans-d

Assignees
No one assigned
Labels
bugfix Change that restores intended behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Some global services are denied by region control policies
2 participants
@Nuru @dudymas