Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict backup example policy #39490

Merged
merged 1 commit into from
Sep 26, 2024
Merged

Restrict backup example policy #39490

merged 1 commit into from
Sep 26, 2024

Conversation

MarkCBell
Copy link
Contributor

Description

The current example of an AWS Backup vault policy allows any user to put a new policy (since it uses Principal "*"). Therefore deploying the provided example would allow anyone to replace this policy with one in which they had full control over the backup vault. This would include taking copies of the data in there or deleting snapshots.

AWS "strongly recommend that you do not use a wildcard (*) in the Principal element of a resource-based policy with an Allow effect". Following this, this PR replaces the Principal with the account id, therefore giving this power only to roles already within this account, which is much less dangerous.

Relations

None

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous

@MarkCBell MarkCBell requested a review from a team as a code owner September 25, 2024 21:40
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added documentation Introduces or discusses updates to documentation. service/backup Issues and PRs that pertain to the backup service. needs-triage Waiting for first response or review from a maintainer. labels Sep 25, 2024
@jar-b jar-b removed the needs-triage Waiting for first response or review from a maintainer. label Sep 26, 2024
jar-b
jar-b approved these changes Sep 26, 2024
View reviewed changes
Copy link
Member

@jar-b jar-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@jar-b
Copy link
Member

jar-b commented Sep 26, 2024

Thanks for your contribution, @MarkCBell! 👍

@jar-b jar-b merged commit 92ffb48 into hashicorp:main Sep 26, 2024
28 checks passed
@github-actions github-actions bot added this to the v5.69.0 milestone Sep 26, 2024
@MarkCBell MarkCBell deleted the limit-backup-example branch September 26, 2024 23:14
@github-actions GitHub Actions
Copy link

This functionality has been released in v5.69.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jar-b jar-b jar-b approved these changes

Assignees
No one assigned
Labels
documentation Introduces or discusses updates to documentation. service/backup Issues and PRs that pertain to the backup service.
Projects
None yet
Milestone
v5.69.0
Development

Successfully merging this pull request may close these issues.
2 participants
@MarkCBell @jar-b