Enable server-side encryption for all S3 objects #3647
Comments
|
Server-side encryption has now been enabled for all buckets but it only affects object written after it was enabled on a bucket. The unencrypted objects need to be deleted or overwritten. @bvizzier-ucsc, can anything be done to get CleverCanary to respond to this? It would be helpful to have a timeline for Edit: this comment was interpreted by some to imply a criticism of CleverCanary. I'd like to clarify that this interpretation was not intended. |
|
Hi @dsotirho-ucsc can let us know the urgency of this request? Are there any timelines associated with this we should be aware of? This will help us prioritize this work. cc @bvizzier-ucsc |
|
Also, @dsotirho-ucsc I just did a dev and prod deployment for lungmap. Can you let me know if this fixed the issue for:
Cheers and Thanks, |
|
@NoopDog, please direct priority and scheduling questions at me and @bvizzier-ucsc. Thank you! To answer your question, this is a medium-severity finding so it has a 90 day remediation target. The finding is from last year so we're already way past the deadline, luckily not in a currently compliant deployment. If you could fix this ASAP that would help limit the damage to our track record wrt timely mediation in the eyes of the AO and the yearly 3PAO. It just requires reading and writing the objects again so it should be real easy to fix (< 10min) with |
|
@hannes-ucsc Scheduling questions I will direct exclusively to @bvizzier-ucsc. I would prefer if any tickets assigned to us already contained the information required for Ben and me to prioritize against our other tasks. The data-browser.dev.lungmap.net and data-browser.lungmap.net buckets should already be fixed. If you or @dsotirho-ucsc can verify that would be great. Also if you can fix archive-preview.humancellatlas.org in 10 minutes that would be great. Woud you be able to claim this ticket? Cheers and Thanks, |
|
@bvizzier-ucsc has a lot on his plate and I would like to help where I can so if you could also include me in scheduling questions, that would be helpful. Thank you!
Sorry, not at this moment. If it takes you considerably longer than 10min, let us know and we'll see what we can do to help. |
|
Triaging to discuss the expected timeline with @bvizzier-ucsc. |
|
@NoopDog Am I remembering correctly that the unencrypted files in this bucket can be deleted? |
|
This is a bucket owned and populated by the front end team. The proper function needs to be validated by them once the change is made. |
|
Not deleted just encrypted
…On Wed, Oct 4, 2023 at 3:25 PM Ben Vizzier ***@***.***> wrote:
This is a bucket owned and populated by the front end team. The proper
function needs to be validated by them once the change is made.
—
Reply to this email directly, view it on GitHub
<#3647 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAYW6ENQLGQBPENYOWQHEMTX5XO3ZAVCNFSM6AAAAAA4PRZBPCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBXG4ZTCNJTHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I just did it myself. It really just entailed |
While investigating DataBiosphere/azul#4715 it was discovered that the following buckets contain unencrypted objects:
HCA dev:
HCA prod:
Please enable server-side encryption for all the objects in these buckets.
The text was updated successfully, but these errors were encountered: