Block public and non-HTTPS access to S3 bucket as per standard compli…

…ance rules (#581) * Block public access to S3 bucket as per standard compliance rules * Deny non-HTTPS requests to S3 buckets created by e2e tests * Fix typos
gardener · May 3, 2023 · 03618c9 · 03618c9
1 parent e30729f
commit 03618c9
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/controllers/etcdcopybackupstask/reconciler_test.go b/controllers/etcdcopybackupstask/reconciler_test.go
@@ -536,7 +536,7 @@ var _ = Describe("EtcdCopyBackupsTaskController", func() {
 				Expect(*hostPathVolumeSource.Type).To(Equal(corev1.HostPathDirectory))
 			})
 
-			It("should create the correct volumes when store.SecretRef is not refered", func() {
+			It("should create the correct volumes when store.SecretRef is not referred", func() {
 				Expect(fakeClient.Create(ctx, secret)).To(Succeed())
 
 				store.SecretRef = &corev1.SecretReference{Name: secret.Name}

diff --git a/hack/e2e-test/infrastructure/overlays/aws/common/files/common.sh b/hack/e2e-test/infrastructure/overlays/aws/common/files/common.sh
@@ -17,7 +17,6 @@
 ENDPOINT_URL=""
 if [[ -n "${LOCALSTACK_HOST}" ]]; then
   ENDPOINT_URL=" --endpoint-url=http://${LOCALSTACK_HOST}"
-
 fi
 
 function setup_aws() {
@@ -49,7 +48,13 @@ function create_s3_bucket() {
   result=$(aws ${ENDPOINT_URL} s3api get-bucket-location --bucket ${TEST_ID} 2>&1 || true)
   if [[ $result == *NoSuchBucket* ]]; then
     echo "Creating S3 bucket ${TEST_ID} in region ${AWS_REGION}"
-    aws ${ENDPOINT_URL} s3api create-bucket --bucket ${TEST_ID} --region ${AWS_REGION} --create-bucket-configuration LocationConstraint=${AWS_REGION}
+    aws ${ENDPOINT_URL} s3api create-bucket --bucket ${TEST_ID} --region ${AWS_REGION} --create-bucket-configuration LocationConstraint=${AWS_REGION} --acl private
+    # Block public access to the S3 bucket
+    aws ${ENDPOINT_URL} s3api put-public-access-block --bucket ${TEST_ID} --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+    # Deny non-HTTPS requests to the S3 bucket, except for localstack which is exposed on an HTTP endpoint
+    if [[ -z "${LOCALSTACK_HOST}" ]]; then
+      aws ${ENDPOINT_URL} s3api put-bucket-policy --bucket ${TEST_ID} --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::${TEST_ID}\",\"arn:aws:s3:::${TEST_ID}/*\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"},\"NumericLessThan\":{\"s3:TlsVersion\":\"1.2\"}}}]}"
+    fi
   else
     echo $result
     if [[ $result != *${AWS_REGION}* ]]; then

diff --git a/pkg/health/condition/check_backup_ready.go b/pkg/health/condition/check_backup_ready.go
@@ -31,7 +31,7 @@ type backupReadyCheck struct {
 }
 
 const (
-	// BackupSucceeded is a constant that means that etcd backup has been sucessfully taken
+	// BackupSucceeded is a constant that means that etcd backup has been successfully taken
 	BackupSucceeded string = "BackupSucceeded"
 	// BackupFailed is a constant that means that etcd backup has failed
 	BackupFailed string = "BackupFailed"