Stop using action wildcards and start explicitly listing permissions

[simonw]

See #11 (comment)_ for context.

The read-write policy currently uses "Action": "s3:*Object" - and the read-only one uses Action": "s3:GetObject*".

This is pretty gross - surely explicitly listing the allowed actions is better practice?

• Design the read-only S3 bucket policy #23
• Design the read-write policy #24
• Design the write-only policy #25

[simonw]

But... there are a LOT of actions to consider, and it looks like AWS add more over time.

I collected a full list of them here: #11 (comment)

Here is the current list of actions that match these two wildcards.

For s3:*Object it's:

• s3:DeleteObject
• s3:GetObject
• s3:PutObject
• s3:ReplicateObject
• s3:RestoreObject

For s3:GetObject* it's:

• s3:GetObject
• s3:GetObjectAcl
• s3:GetObjectLegalHold
• s3:GetObjectRetention
• s3:GetObjectTagging
• s3:GetObjectVersion
• s3:GetObjectVersionAcl
• s3:GetObjectVersionForReplication
• s3:GetObjectVersionTagging

Interestingly there are a bunch of other actions involving Object that do NOT match the s3:*Object wildcard (because they have extra trailing characters):

• s3:CreateAccessPointForObjectLambda
• s3:DeleteAccessPointForObjectLambda
• s3:DeleteAccessPointPolicyForObjectLambda
• s3:DeleteObjectTagging
• s3:DeleteObjectVersion
• s3:DeleteObjectVersionTagging
• s3:GetAccessPointConfigurationForObjectLambda
• s3:GetAccessPointForObjectLambda
• s3:GetAccessPointPolicyForObjectLambda
• s3:GetAccessPointPolicyStatusForObjectLambda
• s3:GetBucketObjectLockConfiguration
• s3:GetObjectAcl
• s3:GetObjectLegalHold
• s3:GetObjectRetention
• s3:GetObjectTagging
• s3:GetObjectVersion
• s3:GetObjectVersionAcl
• s3:GetObjectVersionForReplication
• s3:GetObjectVersionTagging
• s3:ListAccessPointsForObjectLambda
• s3:ObjectOwnerOverrideToBucketOwner
• s3:PutAccessPointConfigurationForObjectLambda
• s3:PutAccessPointPolicyForObjectLambda
• s3:PutBucketObjectLockConfiguration
• s3:PutObjectAcl
• s3:PutObjectLegalHold
• s3:PutObjectRetention
• s3:PutObjectTagging
• s3:PutObjectVersionAcl
• s3:PutObjectVersionTagging

Some of those DO match the read-only s3:GetObject* pattern - so right now the read-only policy gives you some permissions which you don't get for the read-write policy.

So yeah, wildcards as currently implemented by this tool are very flawed.

[simonw]

The bigger problem here is that the terms "read-only" and "read-write" and "write-only" do not actually have defined meanings within the world of S3.

That's why I've had so much trouble finding good example policies out there - since the terms don't have a concrete meaning the question I'm asking here isn't actually a valid one.

So I need to define what I think read-only, read-write and write-only should mean in the context of this specific tool, then implement and document it.

[simonw]

Here's a recipe for outputting a full list of S3 operation names using boto3:

boto3.client("s3").meta.service_model.operation_names

[simonw]

Here's a JavaScript one-liner which extracts the names AND descriptions from the table of actions on https://docs.aws.amazon.com/AmazonS3/latest/userguide/list_amazons3.html#amazons3-actions-as-permissions

copy(
  Array.from(
    document.querySelector("table").querySelectorAll("tr td:first-of-type")
  )
    .filter((el) => el.innerText)
    .map((el) => {
      var name = el.innerText;
      var description = el.parentNode.getElementsByTagName("td")[1].innerText;
      return `- **${name}**: ${description}`;
    })
    .join("\n")
);

• AbortMultipartUpload: Grants permission to abort a multipart upload
• BypassGovernanceRetention: Grants permission to allow circumvention of governance-mode object retention settings
• CreateAccessPoint: Grants permission to create a new access point
• CreateAccessPointForObjectLambda: Grants permission to create an object lambda enabled accesspoint
• CreateBucket: Grants permission to create a new bucket
• CreateJob: Grants permission to create a new Amazon S3 Batch Operations job
• DeleteAccessPoint: Grants permission to delete the access point named in the URI
• DeleteAccessPointForObjectLambda: Grants permission to delete the object lambda enabled access point named in the URI
• DeleteAccessPointPolicy: Grants permission to delete the policy on a specified access point
• DeleteAccessPointPolicyForObjectLambda: Grants permission to delete the policy on a specified object lambda enabled access point
• DeleteBucket: Grants permission to delete the bucket named in the URI
• DeleteBucketOwnershipControls: Grants permission to delete ownership controls on a bucket
• DeleteBucketPolicy: Grants permission to delete the policy on a specified bucket
• DeleteBucketWebsite: Grants permission to remove the website configuration for a bucket
• DeleteJobTagging: Grants permission to remove tags from an existing Amazon S3 Batch Operations job
• DeleteObject: Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object
• DeleteObjectTagging: Grants permission to use the tagging subresource to remove the entire tag set from the specified object
• DeleteObjectVersion: Grants permission to remove a specific version of an object
• DeleteObjectVersionTagging: Grants permission to remove the entire tag set for a specific version of the object
• DeleteStorageLensConfiguration: Grants permission to delete an existing Amazon S3 Storage Lens configuration
• DeleteStorageLensConfigurationTagging: Grants permission to remove tags from an existing Amazon S3 Storage Lens configuration
• DescribeJob: Grants permission to retrieve the configuration parameters and status for a batch operations job
• GetAccelerateConfiguration: Grants permission to uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended
• GetAccessPoint: Grants permission to return configuration information about the specified access point
• GetAccessPointConfigurationForObjectLambda: Grants permission to retrieve the configuration of the object lambda enabled access point
• GetAccessPointForObjectLambda: Grants permission to create an object lambda enabled accesspoint
• GetAccessPointPolicy: Grants permission to returns the access point policy associated with the specified access point
• GetAccessPointPolicyForObjectLambda: Grants permission to returns the access point policy associated with the specified object lambda enabled access point
• GetAccessPointPolicyStatus: Grants permission to return the policy status for a specific access point policy
• GetAccessPointPolicyStatusForObjectLambda: Grants permission to return the policy status for a specific object lambda access point policy
• GetAccountPublicAccessBlock: Grants permission to retrieve the PublicAccessBlock configuration for an AWS account
• GetAnalyticsConfiguration: Grants permission to get an analytics configuration from an Amazon S3 bucket, identified by the analytics configuration ID
• GetBucketAcl: Grants permission to use the acl subresource to return the access control list (ACL) of an Amazon S3 bucket
• GetBucketCORS: Grants permission to return the CORS configuration information set for an Amazon S3 bucket
• GetBucketLocation: Grants permission to return the Region that an Amazon S3 bucket resides in
• GetBucketLogging: Grants permission to return the logging status of an Amazon S3 bucket and the permissions users have to view or modify that status
• GetBucketNotification: Grants permission to get the notification configuration of an Amazon S3 bucket
• GetBucketObjectLockConfiguration: Grants permission to get the Object Lock configuration of an Amazon S3 bucket
• GetBucketOwnershipControls: Grants permission to retrieve ownership controls on a bucket
• GetBucketPolicy: Grants permission to return the policy of the specified bucket
• GetBucketPolicyStatus: Grants permission to retrieve the policy status for a specific Amazon S3 bucket, which indicates whether the bucket is public
• GetBucketPublicAccessBlock: Grants permission to retrieve the PublicAccessBlock configuration for an Amazon S3 bucket
• GetBucketRequestPayment: Grants permission to return the request payment configuration for an Amazon S3 bucket
• GetBucketTagging: Grants permission to return the tag set associated with an Amazon S3 bucket
• GetBucketVersioning: Grants permission to return the versioning state of an Amazon S3 bucket
• GetBucketWebsite: Grants permission to return the website configuration for an Amazon S3 bucket
• GetEncryptionConfiguration: Grants permission to return the default encryption configuration an Amazon S3 bucket
• GetIntelligentTieringConfiguration: Grants permission to get an or list all Amazon S3 Intelligent Tiering configuration in a S3 Bucket
• GetInventoryConfiguration: Grants permission to return an inventory configuration from an Amazon S3 bucket, identified by the inventory configuration ID
• GetJobTagging: Grants permission to return the tag set of an existing Amazon S3 Batch Operations job
• GetLifecycleConfiguration: Grants permission to return the lifecycle configuration information set on an Amazon S3 bucket
• GetMetricsConfiguration: Grants permission to get a metrics configuration from an Amazon S3 bucket
• GetObject: Grants permission to retrieve objects from Amazon S3
• GetObjectAcl: Grants permission to return the access control list (ACL) of an object
• GetObjectLegalHold: Grants permission to get an object's current Legal Hold status
• GetObjectRetention: Grants permission to retrieve the retention settings for an object
• GetObjectTagging: Grants permission to return the tag set of an object
• GetObjectVersion: Grants permission to retrieve a specific version of an object
• GetObjectVersionAcl: Grants permission to return the access control list (ACL) of a specific object version
• GetObjectVersionForReplication: Grants permission to replicate both unencrypted objects and objects encrypted with SSE-S3 or SSE-KMS
• GetObjectVersionTagging: Grants permission to return the tag set for a specific version of the object
• GetReplicationConfiguration: Grants permission to get the replication configuration information set on an Amazon S3 bucket
• GetStorageLensConfiguration: Grants permission to get an Amazon S3 Storage Lens configuration
• GetStorageLensConfigurationTagging: Grants permission to get the tag set of an existing Amazon S3 Storage Lens configuration
• GetStorageLensDashboard: Grants permission to get an Amazon S3 Storage Lens dashboard
• ListAccessPoints: Grants permission to list access points
• ListAccessPointsForObjectLambda: Grants permission to list object lambda enabled accesspoints
• ListAllMyBuckets: Grants permission to list all buckets owned by the authenticated sender of the request
• ListBucket: Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)
• ListBucketMultipartUploads: Grants permission to list in-progress multipart uploads
• ListBucketVersions: Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket
• ListJobs: Grants permission to list current jobs and jobs that have ended recently
• ListMultipartUploadParts: Grants permission to list the parts that have been uploaded for a specific multipart upload
• ListStorageLensConfigurations: Grants permission to list Amazon S3 Storage Lens configurations
• ObjectOwnerOverrideToBucketOwner: Grants permission to change replica ownership
• PutAccelerateConfiguration: Grants permission to use the accelerate subresource to set the Transfer Acceleration state of an existing S3 bucket
• PutAccessPointConfigurationForObjectLambda: Grants permission to set the configuration of the object lambda enabled access point
• PutAccessPointPolicy: Grants permission to associate an access policy with a specified access point
• PutAccessPointPolicyForObjectLambda: Grants permission to associate an access policy with a specified object lambda enabled access point
• PutAccountPublicAccessBlock: Grants permission to create or modify the PublicAccessBlock configuration for an AWS account
• PutAnalyticsConfiguration: Grants permission to set an analytics configuration for the bucket, specified by the analytics configuration ID
• PutBucketAcl: Grants permission to set the permissions on an existing bucket using access control lists (ACLs)
• PutBucketCORS: Grants permission to set the CORS configuration for an Amazon S3 bucket
• PutBucketLogging: Grants permission to set the logging parameters for an Amazon S3 bucket
• PutBucketNotification: Grants permission to receive notifications when certain events happen in an Amazon S3 bucket
• PutBucketObjectLockConfiguration: Grants permission to put Object Lock configuration on a specific bucket
• PutBucketOwnershipControls: Grants permission to add or replace ownership controls on a bucket
• PutBucketPolicy: Grants permission to add or replace a bucket policy on a bucket
• PutBucketPublicAccessBlock: Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket
• PutBucketRequestPayment: Grants permission to set the request payment configuration of a bucket
• PutBucketTagging: Grants permission to add a set of tags to an existing Amazon S3 bucket
• PutBucketVersioning: Grants permission to set the versioning state of an existing Amazon S3 bucket
• PutBucketWebsite: Grants permission to set the configuration of the website that is specified in the website subresource
• PutEncryptionConfiguration: Grants permission to set the encryption configuration for an Amazon S3 bucket
• PutIntelligentTieringConfiguration: Grants permission to create new or update or delete an existing Amazon S3 Intelligent Tiering configuration
• PutInventoryConfiguration: Grants permission to add an inventory configuration to the bucket, identified by the inventory ID
• PutJobTagging: Grants permission to replace tags on an existing Amazon S3 Batch Operations job
• PutLifecycleConfiguration: Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration
• PutMetricsConfiguration: Grants permission to set or update a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket
• PutObject: Grants permission to add an object to a bucket
• PutObjectAcl: Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket.
• PutObjectLegalHold: Grants permission to apply a Legal Hold configuration to the specified object
• PutObjectRetention: Grants permission to place an Object Retention configuration on an object
• PutObjectTagging: Grants permission to set the supplied tag-set to an object that already exists in a bucket
• PutObjectVersionAcl: Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket
• PutObjectVersionTagging: Grants permission to set the supplied tag-set for a specific version of an object
• PutReplicationConfiguration: Grants permission to create a new replication configuration or replace an existing one
• PutStorageLensConfiguration: Grants permission to create or update an Amazon S3 Storage Lens configuration
• PutStorageLensConfigurationTagging: Grants permission to put or replace tags on an existing Amazon S3 Storage Lens configuration
• ReplicateDelete: Grants permission to replicate delete markers to the destination bucket
• ReplicateObject: Grants permission to replicate objects and object tags to the destination bucket
• ReplicateTags: Grants permission to replicate object tags to the destination bucket
• RestoreObject: Grants permission to restore an archived copy of an object back into Amazon S3
• UpdateJobPriority: Grants permission to update the priority of an existing job
• UpdateJobStatus: Grants permission to update the status for the specified job

[simonw]

I'm going to pick the ones that look sensible to me and add them - along with a comment describing them - to the policies.py file. A benefit of using Python rather than JSON in that file is I can use comments.

[simonw]

This site looks very useful: https://permissions.cloud/

[simonw]

I tried to use this tool with https://litestream.io/ (the original inspiration for building this) and discovered that the current read-write mode isn't enough, because Litestream needs access to s3:GetBucketLocation.

[simonw]

Built myself a new tool to help with this: https://iam-definitions.vercel.app/iam/privileges?_sort=rowid&service__exact=s3&_facet=access_level

Particularly useful:

• Read operations: https://iam-definitions.vercel.app/iam/privileges?service__exact=s3&_sort=rowid&_facet=access_level&access_level=Read&_nocol=resource_types
• Write operations: https://iam-definitions.vercel.app/iam/privileges?service__exact=s3&_sort=rowid&_facet=access_level&access_level=Write&_nocol=resource_types

[simonw]

Splitting this into separate issues, so I can maybe link to them from the documentation.

[simonw]

New policy designs are all implemented. Need to do a round of testing before I close this issue.