@k9securityio/k9-cdk
Version:
Provision strong AWS security policies easily using the AWS CDK.
64 lines (52 loc) • 2.08 kB
Markdown
# Least Privilege Access for a Public Bucket
You can use k9-cdk to make a bucket publicly readable with least privilege access
for named principals to administer, (full) read, write, and delete. The public will have the ability to
call `S3:GetObject` on any object in the bucket. See the [k9-cdk.ts](bin/k9-cdk.ts) for a full example.
To make a bucket publicly readable, configure `K9BucketPolicyProps` properties:
* `publicReadAccess` to `true`
* `encryption` to `BucketEncryption.S3_MANAGED`
Configuring `encryption` to `BucketEncryption.S3_MANAGED` avoids needing to grant public read access to a KMS key.
```typescript
const websiteK9BucketPolicyProps: k9.s3.K9BucketPolicyProps = {
bucket: websiteBucket,
k9DesiredAccess: [/* normal k9 access capabilities */],
publicReadAccess: true,
encryption: BucketEncryption.S3_MANAGED,
};
```
When you configure `publicReadAccess` to `true`, the k9 policy generator will change its policy generation strategy in two ways.
First, an additional `AllowPublicReadAccess` statement allows all AWS principals (including anonymous) to use `S3:GetObject` (just like [AWS CDK Bucket#grantPublicAccess](https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-s3/lib/bucket.ts#L807))
```json
{
"Sid": "AllowPublicReadAccess",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::k9-cdk-public-website-test/*"
}
```
Second, the `DenyEveryoneElse` denies unwanted access to every action but `S3:GetObject`:
```json
{
"Sid": "DenyEveryoneElse",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"NotAction": "s3:GetObject",
"Resource": [
"arn:aws:s3:::k9-cdk-public-website-test",
"arn:aws:s3:::k9-cdk-public-website-test/*"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"... snip your intended principals ..."
]
}
}
}
```
See the [k9-cdk.ts](bin/k9-cdk.ts) application for a full example.