Merge pull request #1 from MeteoGroup/restrict_cross_account_writes

Restrict cross account writes
MeteoGroup · Dec 10, 2019 · b95c91b · b95c91b
2 parents 13f6b34 + ee9af24
commit b95c91b
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -41,6 +41,9 @@ and *subscribe* access to its SNS topic
 `write_accounts` (list(str))\
 Account numbers of other AWS accounts which should get write access to the bucket
 
+`write_key_pattern` (str)\
+Pattern of object keys allowed for cross-account writes
+
 `lifecycle_rules` (list(lifecycle_rule))\
 [Lifecycle rules](https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#lifecycle_rule)
 to transition / expire old objects in the bucket

diff --git a/main.tf b/main.tf
@@ -84,17 +84,20 @@ data "aws_iam_policy_document" "bucket_policy_write" {
 
   statement {
     sid = "AllowCrossAccountWrite"
-    resources = [
-      local.bucket_arn,
-      "${local.bucket_arn}/*",
-    ]
+    resources = ["${local.bucket_arn}/${var.write_key_pattern}"]
     actions = [
-      "s3:Put*",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
     ]
     principals {
       type        = "AWS"
       identifiers = var.write_accounts
     }
+    condition {
+      test = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values = ["bucket-owner-full-control"]
+    }
   }
 }
 

diff --git a/variables.tf b/variables.tf
@@ -36,6 +36,12 @@ variable "write_accounts" {
   default     = []
 }
 
+variable "write_key_pattern" {
+  description = "Pattern of object keys allowed for cross-account writes"
+  type        = string
+  default     = "*"
+}
+
 variable "lifecycle_rules" {
   type    = list(any)
   default = []