Should 'ListAllMyBuckets' be in the default policy?
Closed this issue · 2 comments
The default application-wide policy contains the permissions 's3:ListAllMyBuckets', 's3:HeadBucket' on the resource 'arn:aws:s3:::*' which is very broad and surprising that jets needs this level of permissions.
Almost all other permissions that are granted seem to be following the principle of least privilege, so my question is, do we really need this?
I see that you have raised this question yourself in on a community support thread already, have you had any further thoughts, @tongueroo?
P.S. Thanks for the awesome project! 🙌
For anyone finding this and wishing to remove these permissions for their project, place this in your config/application.rb:
config.iam_policy = Jets::Application.default_iam_policy - [
{ action: ['s3:ListAllMyBuckets', 's3:HeadBucket'], effect: 'Allow', resource: 'arn:aws:s3:::*' }
]
Or, if you are using additional permissions as per the docs:
default_policy = Jets::Application.default_iam_policy - [
{ action: ['s3:ListAllMyBuckets', 's3:HeadBucket'], effect: 'Allow', resource: 'arn:aws:s3:::*' }
]
config.iam_policy = [
default_policy,
{
action: ['s3:ListBucket', 's3:GetObject'],
effect: 'Allow',
resource: "arn:aws:s3:::another-s3-bucket*"
}
]
Sure. The default policy can be improved here. Also been thinking would like to make it so config.iam_policy adds to the default and config.default_iam_policy overrides the default. Think it would be more natural syntax.
I share the same concern. I believe ListAllMyBuckets is only needed for viewing buckets in the AWS console so it shouldn't be needed by Jets apps. I think the HeadBucket should be scoped to the configured s3_bucket.
I'll create a PR to modify the default policy and make the config syntax more natural as suggested.