Skip to content

Commit

Permalink
Block public and non-HTTPS access to S3 bucket created by integration…
Browse files Browse the repository at this point in the history 
… tests (#615)

* Block public access to S3 bucket as per standard compliance rules

* Deny non-HTTPS requests to S3 buckets created by integration tests
  • Loading branch information
@shreyas-s-rao
shreyas-s-rao authored May 3, 2023
1 parent 1ecfb1a commit afa352a
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion .ci/integration_test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,11 @@ function delete_aws_secret() {

function create_s3_bucket() {
echo "Creating S3 bucket ${TEST_ID} in region ${REGION}"
aws s3api create-bucket --bucket ${TEST_ID} --region ${REGION} --create-bucket-configuration LocationConstraint=${REGION}
aws s3api create-bucket --bucket ${TEST_ID} --region ${REGION} --create-bucket-configuration LocationConstraint=${REGION} --acl private
# Block public access to the S3 bucket
aws s3api put-public-access-block --bucket ${TEST_ID} --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
# Deny non-HTTPS requests to the S3 bucket
aws s3api put-bucket-policy --bucket ${TEST_ID} --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::${TEST_ID}\",\"arn:aws:s3:::${TEST_ID}/*\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"},\"NumericLessThan\":{\"s3:TlsVersion\":\"1.2\"}}}]}"
}

function delete_s3_bucket() {
Expand Down

0 comments on commit afa352a

Please sign in to comment.