Policies - Exemple S3 Buckets

Références#

S3 Policy Condition Keys (Pour les conditions)

Global Condition Keys (Pour les conditions)

Transport Encrypté#

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html

JSON Terraform

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::BUCKET_ID",
                "arn:aws:s3:::BUCKET_ID/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::BUCKET_ID/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

Terraform
data "aws_iam_policy_document" "bucket_policy_1" {

    statement {
        sid = "AllowSSLRequestsOnly"
        effect  = "Deny"
        principals {
            type        = "AWS"
            identifiers = ["*"]
        }
        actions = ["s3:*"]
        resources = [
        "${aws_s3_bucket.bucket_name.arn}",
        "${aws_s3_bucket.bucket_name.arn}/*"
        ]
        condition {
        test     = "Bool"
        variable = "aws:SecureTransport"
        values   = ["false"]
        }
    }

    statement {
        sid = "DenyUnEncryptedObjectUploads"
        effect  = "Deny"
        principals {
            type        = "AWS"
            identifiers = ["*"]
        }
        actions = ["s3:PutObject"]
        resources = [
            "${aws_s3_bucket.bucket_name.arn}/*"
        ]
        condition {
            test     = "Null"
            variable = "s3:x-amz-server-side-encryption"
            values   = ["true"]
        }
    }
}

Encryption avec KMS#

JSON Terraform

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RequireKMSEncryption",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::BUCKET_ID/*",
            "Condition": {
                "StringNotLikeIfExists": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:ca-central-1:123456789012:key/KEY-ID"
                }
            }
        }
    ]
}

Terraform
statement {
    sid     = "RequireKMSEncryption"
    effect  = "Deny"
    actions = ["s3:PutObject"]
    resources = [
        "${aws_s3_bucket.bucket_name.arn}/*"
    ]
    principals {
        type        = "AWS"
        identifiers = ["*"]
    }
    condition {
        test     = "StringNotLikeIfExists"
        variable = "s3:x-amz-server-side-encryption-aws-kms-key-id"
        values   = [var.kms_key_arn]
    }
}

Limiter retention sur un Object Lock Bucket#

Référence

JSON Terraform

JSON
    {
        "Version": "2012-10-17",
        "Id": "SetRetentionLimits",
        "Statement": [
            {
                "Sid": "SetRetentionPeriod",
                "Effect": "Deny",
                "Principal": "*",
                "Action": [
                    "s3:PutObjectRetention"
                ],
                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket1/*",
                "Condition": {
                    "NumericGreaterThan": {
                        "s3:object-lock-remaining-retention-days": "10"
                    }
                }
            }
        ]
    }

Terraform
1	`TBD`