Date: 2024-09-06
❌ Rejected
While we can control access to objects in S3 such as terraform state files through bucket policies, we can risk accidental disclosure if bucket policies & IAM policies are not suitably strict.
Investigated here.
It solves the ability for a user to move laterally across roles like so:
- User in Account B assumes Role X in Account A that has access to Object B
- User then assumes Role Y that has access to Object C
- Because the aws:PrincipalTag remains consistent as that of Account B, this will not match the value in the object tag and access to Object C will be denied
This has been rectified since the ticket was raised.
- Adding condition to policy here
- This requires changes to the state bucket tagging
- Adds a layer of security, stopping people from viewing other teams statefiles.
- Original secuirty reason for implementing has been fixed
- Requires changes to state buckets tagging
- Does not bring added security currently
Since the ticket was raised, what was possible, and a possible risk has now been rectified. This means the work provides little to no value currently. The condition that is required for the bucket exists now, but changes to the bucket itself are required still.
- Modernisation Platform will not make changes to the state buckets tagging of resources.