Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deny s3:ListBucket #203

Merged
merged 2 commits into from
Jan 8, 2019
Merged

Deny s3:ListBucket #203

merged 2 commits into from
Jan 8, 2019

Conversation

chrsmith
Copy link
Contributor

@chrsmith chrsmith commented Jan 7, 2019

Update the static website on AWS example to deny the s3:ListBucket permission. We set the "public-read" ACL on the bucket, so that CloudFront can read the bucket's contents. However, just following best practices with regard to content security, we deny the s3:ListBucket permission to prevent unintentional disclosure of the website's contents.

See pulumi/get.pulumi.com#33, pulumi/docs#734

@chrsmith chrsmith requested a review from ellismg January 7, 2019 19:25
@ellismg
Copy link
Contributor

ellismg commented Jan 8, 2019

Do you think it is reasonable to expand the comment to say that while ListBucket is denied it is still possible for someone to guess a valid URL and in that case this infrastructure would serve the file?

ellismg
ellismg approved these changes Jan 8, 2019
View reviewed changes
Copy link
Contributor

@ellismg ellismg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Might want to expand the comment to explain the subtle issue that anything you put in the bucket is still public, assuming you could guess the path.

@chrsmith chrsmith merged commit 71225e5 into master Jan 8, 2019
@pulumi-bot pulumi-bot deleted the chrsmith/deny-s3-listbucket branch January 8, 2019 04:35
clstokes added a commit that referenced this pull request Jan 9, 2019
@clstokes
Revert "Deny s3:ListBucket (#203)"
703f037 
This reverts commit 71225e5.
@clstokes clstokes mentioned this pull request Jan 9, 2019
Merged
clstokes added a commit that referenced this pull request Jan 14, 2019
@clstokes
Remove bucket policy. (#209)
742def6 
* Revert "Deny s3:ListBucket (#203)"

This reverts commit 71225e5.
ramene pushed a commit to ramene/pulumi-kubeflow-ml that referenced this pull request Sep 7, 2019
@chrsmith
Deny s3:ListBucket (pulumi#203)
f4c920c 
* Deny s3:ListBucket

* Update comment
ramene pushed a commit to ramene/pulumi-kubeflow-ml that referenced this pull request Sep 7, 2019
@clstokes
Remove bucket policy. (pulumi#209)
023dd94 
* Revert "Deny s3:ListBucket (pulumi#203)"

This reverts commit 71225e5.
ramene pushed a commit to ramene/pulumi-kubeflow-ml that referenced this pull request Sep 13, 2019
@chrsmith
Deny s3:ListBucket (pulumi#203)
3d2e579 
* Deny s3:ListBucket

* Update comment
ramene pushed a commit to ramene/pulumi-kubeflow-ml that referenced this pull request Sep 13, 2019
@clstokes
Remove bucket policy. (pulumi#209)
6812ab1 
* Revert "Deny s3:ListBucket (pulumi#203)"

This reverts commit 71225e5.
dixler pushed a commit that referenced this pull request Jan 21, 2022
@chrsmith
Deny s3:ListBucket (#203)
391dc10 
* Deny s3:ListBucket

* Update comment
dixler pushed a commit that referenced this pull request Jan 21, 2022
@clstokes
Remove bucket policy. (#209)
a6833c1 
* Revert "Deny s3:ListBucket (#203)"

This reverts commit 71225e5.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ellismg ellismg ellismg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chrsmith @ellismg