Scope down dataset sharing requester IAM role managed IAM policy S3 permissions

backend/dataall/modules/s3_datasets_shares/services/managed_share_policy_service.py

@@ -66,10 +66,15 @@ def add_missing_resources_to_policy_statement(
         index = self._get_statement_by_sid(policy_document, statement_sid)
         if index is None:
             log.info(f'{statement_sid} does NOT exists for Managed policy {policy_name} ' f'creating statement...')
+            policy_actions = (
+                [f'{resource_type}:List*', f'{resource_type}:Describe*', f'{resource_type}:GetObject']
+                if resource_type == 's3'
+                else [f'{resource_type}:*']
+            )
             additional_policy = {
                 'Sid': statement_sid,
                 'Effect': 'Allow',
-                'Action': [f'{resource_type}:*'],
+                'Action': policy_actions,
                 'Resource': target_resources,
             }
             policy_document['Statement'].append(additional_policy)
@@ -209,7 +214,7 @@ def _update_policy_resources_from_inline_policy(self, policy, statement_sid, exi
             additional_policy = {
                 'Sid': f'{statement_sid}S3',
                 'Effect': 'Allow',
-                'Action': ['s3:*', 's3:List*', 's3:Describe*'],
+                'Action': ['s3:List*', 's3:Describe*', 's3:GetObject'],
                 'Resource': existing_s3,
             }
             policy['Statement'].append(additional_policy)

tests/modules/datasets/tasks/test_s3_access_point_share_manager.py

@@ -344,7 +344,7 @@ def test_grant_target_role_access_policy_test_empty_policy(
             {
                 'Sid': f'{IAM_S3_ACCESS_POINTS_STATEMENT_SID}S3',
                 'Effect': 'Allow',
-                'Action': ['s3:*'],
+                'Action': ['s3:List*', 's3:Describe*', 's3:GetObject'],
                 'Resource': [
                     f'arn:aws:s3:::{location1.S3BucketName}',
                     f'arn:aws:s3:::{location1.S3BucketName}/*',

tests/modules/datasets/tasks/test_s3_bucket_share_manager.py

@@ -465,7 +465,9 @@ def test_grant_s3_iam_access_with_no_policy(mocker, dataset2, share2_manager):
     assert len(iam_policy['Statement'][kms_index]['Resource']) == 1
     assert (
         f'arn:aws:s3:::{dataset2.S3BucketName}' in iam_policy['Statement'][s3_index]['Resource']
-        and 's3:*' in iam_policy['Statement'][s3_index]['Action']
+        and 's3:List*' in iam_policy['Statement'][s3_index]['Action']
+        and 's3:Describe*' in iam_policy['Statement'][s3_index]['Action']
+        and 's3:GetObject' in iam_policy['Statement'][s3_index]['Action']
     )
     assert (
         f'arn:aws:kms:{dataset2.region}:{dataset2.AwsAccountId}:key/kms-key'
@@ -519,7 +521,9 @@ def test_grant_s3_iam_access_with_empty_policy(mocker, dataset2, share2_manager)
     assert len(iam_policy['Statement'][kms_index]['Resource']) == 1
     assert (
         f'arn:aws:s3:::{dataset2.S3BucketName}' in iam_policy['Statement'][s3_index]['Resource']
-        and 's3:*' in iam_policy['Statement'][s3_index]['Action']
+        and 's3:List*' in iam_policy['Statement'][s3_index]['Action']
+        and 's3:Describe*' in iam_policy['Statement'][s3_index]['Action']
+        and 's3:GetObject' in iam_policy['Statement'][s3_index]['Action']
     )
     assert (
         f'arn:aws:kms:{dataset2.region}:{dataset2.AwsAccountId}:key/kms-key'