Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: privileged principal arns with condition #211

Closed
wants to merge 3 commits into from

Conversation

okstart1
Copy link

what

  • Added an optional bucket_policy_conditions argument to the terraform-aws-s3-bucket module.
  • This argument allows users to specify IAM policy conditions for the S3 bucket policy, particularly for privileged_principal_arns.
  • Ensured that the addition is backward compatible and does not affect existing module users.

why

  • Enhanced Security: By allowing conditions in IAM policies, users can restrict access based on specific AWS elements like VPC endpoints, source IP addresses, or user attributes. This is crucial for sensitive or regulated data stored in S3 buckets.
  • Increased Flexibility: Users now have more control over their S3 bucket policies, enabling them to tailor access more precisely to their organizational requirements.
  • Alignment with AWS Best Practices: Adding conditions to IAM policies is recommended as part of AWS security best practices. It helps in achieving the principle of least privilege.
  • Community Request: This feature was requested by several users (refer to issue Add Support for Condition Block in Privileged Principal ARNs IAM Policy for S3 Bucket #210 ) to meet specific use cases not currently supported by the module.

references

@okstart1 okstart1 requested review from a team as code owners January 18, 2024 07:23
@okstart1 okstart1 requested review from kevcube and nitrocode January 18, 2024 07:23
@hans-d
Copy link

hans-d commented Feb 4, 2024

@okstart1 hi, can you execute the following?

README.md is outdated. Please run the following commands locally and push the file:
  make init
  make readme

@joe-niland
Copy link
Member

@okstart1 Thanks for this contribution.

I don't think you need to duplicate the role to path mapping.

The way the module is set up, principals are defined separately to actions, so potentially you could add a new variable to define conditions to be applied to the statement.

image

@hans-d
Copy link

hans-d commented Mar 2, 2024

/terratest

Copy link

mergify bot commented Mar 9, 2024

This pull request now has conflicts. Could you fix it @okstart1? 🙏

Copy link

mergify bot commented Mar 9, 2024

Important

Title is necessary and should not be empty.

Kindly provide a meaningful title for this Pull Request.

@mergify mergify bot added the conflict This PR has conflicts label Mar 9, 2024
Copy link

mergify bot commented Mar 9, 2024

This PR has been closed due to inactivity and merge conflicts.
Please resolve the conflicts and reopen if necessary.

@mergify mergify bot closed this Mar 9, 2024
Copy link

mergify bot commented Mar 9, 2024

Thanks @okstart1 for creating this pull request!

A maintainer will review your changes shortly. Please don't be discouraged if it takes a while.

While you wait, make sure to review our contributor guidelines.

Tip

Need help or want to ask for a PR review to be expedited?

Join us on Slack in the #pr-reviews channel.

@mergify mergify bot added triage Needs triage and removed conflict This PR has conflicts triage Needs triage labels Mar 9, 2024
@nitrocode nitrocode changed the title #210 feat: privileged principal arns with conditions Nov 13, 2024
@nitrocode nitrocode changed the title feat: privileged principal arns with conditions feat: privileged principal arns with condition Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add Support for Condition Block in Privileged Principal ARNs IAM Policy for S3 Bucket
3 participants