Sonarqube 不允许我为 S3 存储桶设置策略

问题描述 投票:0回答:1

我正在尝试让我的 s3 存储桶用于存储访问日志。下面是我如何使用 terraform 为其部署所需的策略。

resource "aws_s3_bucket_policy" "bucket_logging_policy" {
  bucket = aws_s3_bucket.s3_access_logs_bucket.id
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "logging.s3.amazonaws.com"
        },
        "Action" : "s3:PutObject",
        "Resource" : "arn:aws:s3:::${aws_s3_bucket.s3_access_logs_bucket.id}/*"
      }
    ]
  })
}

然而,在构建时,Sonarqube 在以下几行中抛出错误:
“效果”:“允许”-> 不符合要求的请求应该被拒绝。
"Action" : "s3:PutObject", -> 所有 S3 操作都应受到限制。

尝试了 Sonarqube(如下)和 aws 给出的一般建议,但没有运气。我对此很陌生,所以很难弄清楚。知道政策哪里不符合标准吗?

resource "aws_s3_bucket_policy" "bucket_logging_policy" {
  bucket = aws_s3_bucket.s3_access_logs_bucket.id
 
  policy = jsonencode({
    "Version" = "2012-10-17",
    "Statement" = [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "logging.s3.amazonaws.com"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::${aws_s3_bucket.s3_access_logs_bucket.id}/*"
      },
      {
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::${aws_s3_bucket.s3_access_logs_bucket.id}/*",
        "Condition": {
          "Bool": {
            "aws:SecureTransport": "false"
          }
        }
      }
    ]
  })
}

还确保我符合此处给出的条件https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

amazon-web-services amazon-s3 terraform sonarqube sonarqube-scan
1个回答
0
投票

根据您发送的链接,您的政策中似乎缺少一个条件,即:

resource "aws_s3_bucket_policy" "bucket_logging_policy" {
  bucket = aws_s3_bucket.s3_access_logs_bucket.id
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "logging.s3.amazonaws.com"
        },
        "Action" : "s3:PutObject",
        "Resource" : "${aws_s3_bucket.s3_access_logs_bucket.arn}/*",
        "Condition": {
           "ArnLike": {
               "aws:SourceArn": aws_s3_bucket.s3_access_logs_bucket.arn
           },
           "StringEquals": {
               "aws:SourceAccount": "<source account id>"
          }
        }
      }
    ]
  })
}

如您所见,存储桶资源还导出 ARN 属性,因此您不必使用 ID 构造整个 ARN。另外,我总是建议使用数据源在 terraform 中构建任何类型的策略,因为它更容易使用并避免错误:

data "aws_iam_policy_document" "s3_policy" {
  statement {
    sid    = "S3ServerAccessLogsPolicy"
    effect = "Allow"
    principals {
      type = "Service"
      identifiers = [
        "logging.s3.amazonaws.com"
      ]
    }
    actions = [
      "s3:PutObject"
    ]
    resources = [
      "${aws_s3_bucket.s3_access_logs_bucket.arn}/*"
    ]
    condition {
      variable = "aws:SourceArn"
      test     = "ArnLike"
      values = [
        aws_s3_bucket.s3_access_logs_bucket.arn
      ]
    }
    condition {
      variable = "aws:SourceAccount"
      test     = "StringEquals"
      values = [
        <source account id>
      ]
    }
  }
}

resource "aws_s3_bucket_policy" "bucket_logging_policy" {
  bucket = aws_s3_bucket.s3_access_logs_bucket.id
 
  policy = data.aws_iam_policy_document.s3_policy.json
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.