-
-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deny_nonsecure_transport grants read-write access to all principals #30
Comments
I'd add that, checking EFS docs, the statement in question has nothing to do with nonsecure transport, and so gating it with |
This issue has been automatically marked as stale because it has been open 30 days |
Not stale |
This issue has been automatically marked as stale because it has been open 30 days |
Still not stale |
This issue has been automatically marked as stale because it has been open 30 days |
I hit this issue when setting the least privileged access to a new EFS file system. I was following this EFS guide and using |
This issue has been automatically marked as stale because it has been open 30 days |
Not stale: issue still exists as far as I can tell |
Description
The policy generated by
deny_nonsecure_transport
grants access to all AWS principals. This makes the use of IAM to control access to the filesystem impossible when this boolean is set, and is an extremely significant side-effect of the boolean (in contrast to having it set tofalse
and usingpolicy_statements
) that is not clear in documentation.The problematic policy was added in #21, in an attempt to fix #20 and #11. In particular, I think the policy given in #20 is the incorrect policy to fix the ECS issue because it only works because it grants access to all principals -- which is far too broad of a policy, and probably not the intention.
#20 mentions that the web console generated the policy. However, I believe the policies generated by the web console are intended to be used where IAM is not used to control access to the filesystem: all of them generate a similar policy granting access to all principals, with specific denies; this is because the 'default' EFS policy is to allow access to all principals, and use firewall rules to control access.
I think this module should support using IAM to selectively control access to the EFS filesystem, instead of firewall rules alone. At the very least, it should be made more explicit that
deny_nonsecure_transport
precludes the use of IAM. I would suggest creating a new boolean that makes it very explicit as to whether a 'allow all principals' policy will be attached; then, this could be set to false to facilitate the use of IAM to control access.Versions
Module version [Required]: v1.6.2
Terraform version: v1.6.3
Provider version(s): provider registry.terraform.io/hashicorp/aws v5.40.0
Reproduction Code [Required]
Steps to reproduce the behavior:
deny_nonsecure_transport
set totrue
policy_statements
to attempt to grant some form of access to a specific IAM principalExpected behavior
The EFS filesystem should not be able to be mounted by any IAM principal when
deny_nonsecure_transport
is trueActual behavior
The EFS filesystem is able to be mounted by any IAM principal when
deny_nonsecure_transport
is true, regardless of any allows inpolicy_statements
.The text was updated successfully, but these errors were encountered: