From 43e5094f9e9e40576ba6ac9556c2c03b4fc2698f Mon Sep 17 00:00:00 2001 From: Mark Sliva Date: Tue, 18 Oct 2022 09:24:52 -0700 Subject: [PATCH] limit the PCE's full s3 access to the deployed data bucket (#1743) Summary: Pull Request resolved: https://github.com/facebookresearch/fbpcs/pull/1743 For partner side deployments. For other usages it will still default to the current AmazonS3FullAccess arn for now. Reviewed By: ankushksingh, ajaybhargavb, anthonyzhang25 Differential Revision: D40406015 fbshipit-source-id: c9f91369fc9cd2e00b53667e4eb3927c756ade18 --- fbpcs/infra/cloud_bridge/deploy.sh | 23 ++++++++++ .../fb_pc_data_bucket_policy.json | 43 +++++++++++++++++++ .../common/pce_shared/iam.tf | 2 +- .../common/pce_shared/variable.tf | 6 +++ 4 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_data_bucket_policy.json diff --git a/fbpcs/infra/cloud_bridge/deploy.sh b/fbpcs/infra/cloud_bridge/deploy.sh index aab9db0db..ce465f3e3 100755 --- a/fbpcs/infra/cloud_bridge/deploy.sh +++ b/fbpcs/infra/cloud_bridge/deploy.sh @@ -86,6 +86,7 @@ undeploy_aws_resources() { -var "aws_region=$region" \ -var "tag_postfix=$tag_postfix" \ -var "aws_account_id=$aws_account_id" \ + -var "s3_access_arn=$data_bucket_policy_arn" \ -var "pce_id=$pce_id" echo "Finished undeploying AWS resources under PCE_shared." echo "Start undeploying AWS resource under PCE..." @@ -181,10 +182,16 @@ undeploy_aws_resources() { fi echo "######################## Undeploy resources policy ########################" log_streaming_data "Undeploying resources policies..." + echo "Deleting policy: $policy_name" cd /terraform_deployment python3 cli.py destroy aws \ --delete_iam_policy \ --policy_name "$policy_name" + + echo "Deleting data bucket policy: $data_bucket_policy_name" + python3 cli.py destroy aws \ + --delete_iam_policy \ + --policy_name "$data_bucket_policy_name" echo "######################## Finished undeploy resources policy ########################" log_streaming_data "finished undeploying all AWS resources " @@ -211,6 +218,18 @@ deploy_aws_resources() { # Create the S3 data bucket if it doesn't exist log_streaming_data "creating s3 data bucket, if it does not exist" validate_or_create_s3_bucket "$s3_bucket_data_pipeline" "$region" "$aws_account_id" + + # Create data bucket policy + echo "########################Create data bucket policy########################" + cd /terraform_deployment + python3 cli.py create aws \ + --add_iam_policy \ + --policy_name "$data_bucket_policy_name" \ + --template_path "$fb_pc_data_bucket_policy" \ + --region "$region" \ + --data_bucket_name "$s3_bucket_data_pipeline" + echo "########################Done creating data bucket policy########################" + # Deploy PCE Terraform scripts onedocker_ecs_container_image='539290649537.dkr.ecr.us-west-2.amazonaws.com/one-docker-prod:latest' publisher_vpc_cidr='10.0.0.0/16' @@ -229,6 +248,7 @@ deploy_aws_resources() { -var "tag_postfix=$tag_postfix" \ -var "aws_account_id=$aws_account_id" \ -var "onedocker_ecs_container_image=$onedocker_ecs_container_image" \ + -var "s3_access_arn=$data_bucket_policy_arn" \ -var "pce_id=$pce_id" echo "######################## Deploy PCE SHARED Terraform scripts completed ########################" # Store the outputs into variables @@ -427,6 +447,9 @@ data_upload_key_path="semi-automated-data-ingestion" query_results_key_path="query-results" data_ingestion_lambda_name="cb-data-ingestion-stream-processor${tag_postfix}" fb_pc_iam_policy="/terraform_deployment/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_iam_policy.json" +fb_pc_data_bucket_policy="/terraform_deployment/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_data_bucket_policy.json" +data_bucket_policy_name="fb-pc-data-bucket-policy${tag_postfix}" +data_bucket_policy_arn="arn:aws:iam::${aws_account_id}:policy/${data_bucket_policy_name}" if "$undeploy" then diff --git a/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_data_bucket_policy.json b/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_data_bucket_policy.json new file mode 100644 index 000000000..cac397de3 --- /dev/null +++ b/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_data_bucket_policy.json @@ -0,0 +1,43 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::${DATA_BUCKET_NAME}", + "arn:aws:s3:::${DATA_BUCKET_NAME}/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:Describe*", + "s3:Get*", + "s3:List*" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Deny", + "Action": [ + "s3:*" + ], + "NotResource": [ + "arn:aws:s3:::${DATA_BUCKET_NAME}", + "arn:aws:s3:::${DATA_BUCKET_NAME}/*" + ], + "Condition": { + "StringEquals": { + "s3:ResourceAccount": [ + "${ACCOUNT_ID}" + ] + } + } + } + ] +} diff --git a/fbpcs/infra/pce/aws_terraform_template/common/pce_shared/iam.tf b/fbpcs/infra/pce/aws_terraform_template/common/pce_shared/iam.tf index b06808e09..f8f5f0bea 100644 --- a/fbpcs/infra/pce/aws_terraform_template/common/pce_shared/iam.tf +++ b/fbpcs/infra/pce/aws_terraform_template/common/pce_shared/iam.tf @@ -51,5 +51,5 @@ resource "aws_iam_role_policy_attachment" "ecs-task-execution-role-policy-attach resource "aws_iam_role_policy_attachment" "task_s3" { role = aws_iam_role.onedocker_ecs_task_role.name - policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" + policy_arn = var.s3_access_arn } diff --git a/fbpcs/infra/pce/aws_terraform_template/common/pce_shared/variable.tf b/fbpcs/infra/pce/aws_terraform_template/common/pce_shared/variable.tf index 7fef34f9f..82563c58e 100644 --- a/fbpcs/infra/pce/aws_terraform_template/common/pce_shared/variable.tf +++ b/fbpcs/infra/pce/aws_terraform_template/common/pce_shared/variable.tf @@ -22,3 +22,9 @@ variable "pce_id" { type = string description = "The identifier for marking the cloud resources are in PCE" } + +variable "s3_access_arn" { + type = string + description = "The s3 arn that the PCE can access" + default = "arn:aws:iam::aws:policy/AmazonS3FullAccess" +}