Skip to content

Add Support for Condition Block in Privileged Principal ARNs IAM Policy for S3 Bucket #210

New issue
New issue
Open
Open
Add Support for Condition Block in Privileged Principal ARNs IAM Policy for S3 Bucket#210
@okstart1

Description

@okstart1
okstart1
opened on Jan 18, 2024

Describe the Feature

Feature Request:

I propose adding support for a condition block in the IAM policy statement for privileged_principal_arns within the terraform-aws-s3-bucket module. This enhancement will allow users to specify conditions for access, improving security and flexibility.

Current Behavior:

Currently, the module allows specifying privileged_principal_arns, which grants specified principals certain permissions on the S3 bucket. However, there is no capability to add conditions to these permissions, potentially leading to overly broad access.

Expected Behavior

Proposed Change:

Enable the addition of a condition block in the IAM policy for privileged_principal_arns. This would allow users to define conditions under which the specified principals are granted access.

Use Case Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPrivilegedPrincipal[0]",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::bucketname/*",
                "arn:aws:s3:::bucketname"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpce": "vpce-xxxxxxx"
                }
            }
        }
    ]
}

In this example, the condition block restricts access to the S3 bucket to requests originating from a specific VPC endpoint, enhancing security.

Expected Outcome:

The terraform-aws-s3-bucket module will support an additional, optional condition argument for policies related to privileged_principal_arns. This will allow for more granular and secure access control.

Use Case

A company has deployed an AWS S3 bucket for storing sensitive documents. They want to ensure that this bucket is only accessible from their internal AWS VPC to enhance security. The bucket is managed using the terraform-aws-s3-bucket module from CloudPosse. However, the current version of the module does not support adding conditions to the IAM policies for privileged_principal_arns, which is necessary for restricting access based on the source VPC endpoint.

Describe Ideal Solution

Add a new env variable called privileged_principal_arns_with_condition and block into main.tf under data "aws_iam_policy_document" "bucket_policy" block.

dynamic "statement" {
    for_each = var.privileged_principal_arns_with_condition

content {
      sid     = "AllowPrivilegedPrincipal[${statement.key}]" # add indic
      actions = var.privileged_principal_actions
      resources = distinct(flatten([
        "arn:${local.partition}:s3:::${local.bucket_id}",
        formatlist("arn:${local.partition}:s3:::${local.bucket_id}/%s*", values(statement.value)[0]),
      ]))
      principals {
        type        = "AWS"
        identifiers = [keys(statement.value)[0]]
      }
      condition {
        test     = keys(statement.value)[1]
        variable = values(statement.value)[1][0]

        values = slice(values(statement.value)[1], 1, length(values(statement.value)[1]))
      }
    }

Alternatives Considered

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions