Merge pull request #2 from MeteoGroup/restrict_read_prefix

Restrict read prefix
MeteoGroup · Dec 16, 2019 · 8c05fae · 8c05fae
2 parents b95c91b + 3cce33a
commit 8c05fae
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 9 deletions.
diff --git a/main.tf b/main.tf
@@ -63,15 +63,23 @@ data "aws_iam_policy_document" "bucket_policy_read" {
   count = local.enable_read_accounts ? 1 : 0
 
   statement {
-    sid = "AllowCrossAccountRead"
-    resources = [
-      local.bucket_arn,
-      "${local.bucket_arn}/*",
-    ]
-    actions = [
-      "s3:Get*",
-      "s3:List*",
-    ]
+    sid = "AllowCrossAccountList"
+    resources = [local.bucket_arn]
+    actions = ["s3:List*"]
+    principals {
+      type        = "AWS"
+      identifiers = var.read_accounts
+    }
+    condition {
+      test = "StringLike"
+      variable = "s3:prefix"
+      values = ["${var.read_prefix}*"]
+    }
+  }
+  statement {
+    sid = "AllowCrossAccountGet"
+    resources = ["${local.bucket_arn}/${var.read_prefix}*",]
+    actions = ["s3:Get*"]
     principals {
       type        = "AWS"
       identifiers = var.read_accounts

diff --git a/outputs.tf b/outputs.tf
diff --git a/variables.tf b/variables.tf
@@ -30,6 +30,12 @@ variable "read_accounts" {
   default     = []
 }
 
+variable "read_prefix" {
+  description = "Prefix of object keys to restrict cross-account reads to"
+  type        = string
+  default     = ""
+}
+
 variable "write_accounts" {
   description = "List of other AWS accounts which should get write access to the bucket"
   type        = list(string)