Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-s3): bucket.grantRead to an organization principal grants public read access #32756

Open
1 task
ehiggins0 opened this issue Jan 6, 2025 · 1 comment
Open
1 task

(aws-s3): bucket.grantRead to an organization principal grants public read access #32756

ehiggins0 opened this issue Jan 6, 2025 · 1 comment
Assignees
@khushail
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. needs-reproduction This issue needs reproduction. p2

Comments

@ehiggins0
Copy link

Describe the bug

When using bucket.grantRead(org), the generated policy allows access to the bucket for all AWS accounts without a condition.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The policy should have a condition:

  "bucketPolicy": {
   "Type": "AWS::S3::BucketPolicy",
   "Properties": {
    "Bucket": {
     "Ref": "bucket"
    },
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "s3:GetBucket*",
        "s3:GetObject*",
        "s3:List*"
       ],
       "Condition": {
           "StringEquals": {
               "aws:PrincipalOrgID": "o-yyyyyyyyyy"
           },
       },
       "Effect": "Allow",
       "Principal": {
        "AWS": "*"
       },
       "Resource": [
        {
         "Fn::GetAtt": [
          "bucket",
          "Arn"
         ]
        },
        {
         "Fn::Join": [
          "",
          [
           {
            "Fn::GetAtt": [
             "bucket",
             "Arn"
            ]
           },
           "/*"
          ]
         ]
        }
       ]
      }
     ],
     "Version": "2012-10-17"
    }
   },
   "Metadata": {
    "aws:cdk:path": "Stack/bucket/Policy/Resource"
   }
  }

Current Behavior

This policy gets generated:

  "bucketPolicy": {
   "Type": "AWS::S3::BucketPolicy",
   "Properties": {
    "Bucket": {
     "Ref": "bucket"
    },
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "s3:GetBucket*",
        "s3:GetObject*",
        "s3:List*"
       ],
       "Condition": {
        "StringEquals": {}
       },
       "Effect": "Allow",
       "Principal": {
        "AWS": "*"
       },
       "Resource": [
        {
         "Fn::GetAtt": [
          "bucket",
          "Arn"
         ]
        },
        {
         "Fn::Join": [
          "",
          [
           {
            "Fn::GetAtt": [
             "bucket",
             "Arn"
            ]
           },
           "/*"
          ]
         ]
        }
       ]
      }
     ],
     "Version": "2012-10-17"
    }
   },
   "Metadata": {
    "aws:cdk:path": "Stack/bucket/Policy/Resource"
   }
  }

Reproduction Steps

    const org = new iam.OrganizationPrincipal(orgName);
    const bucket = new s3.Bucket(this, "bucket", {...});
    bucket.grantRead(org);

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.150.0

Framework Version

No response

Node.js Version

18.18.2

OS

Ubuntu 24.04

Language

TypeScript

Language Version

No response

Other information

No response
@ehiggins0 ehiggins0 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 6, 2025
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Jan 6, 2025
@khushail khushail added needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. needs-reproduction This issue needs reproduction. p2 and removed needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. needs-triage This issue or PR still needs to be triaged. labels Jan 6, 2025
@khushail khushail self-assigned this Jan 6, 2025
@ehiggins0
Copy link
Author

Turns out while trying to come up with a workaround that this is not an issue with aws-s3, but is instead a silent failure when trying to add permissions to iam.OrganizationPrincipal(undefined). It still grants the "*" access, but the condition is not added due to the orgId being undefined. Not sure if this should be addressed as it could cause security issues to deployed S3 resources, but feel free to close if not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@khushail khushail

Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. needs-reproduction This issue needs reproduction. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ehiggins0 @khushail