Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 object ownership #7869

Closed
1 task
klizhentas opened this issue Aug 11, 2021 · 2 comments · Fixed by #9042
Closed
1 task

S3 object ownership #7869

klizhentas opened this issue Aug 11, 2021 · 2 comments · Fixed by #9042
Assignees
@atburke
Labels
c-ca Internal Customer Reference feature-request Used for new features in Teleport, improvements to current should be #enhancements

Comments

@klizhentas
Copy link
Contributor

Consider two accounts Tenant and Audit. Account Audit owns S3 bucket Logs. Account Tenant has a write permission to the bucket Logs. The problem is that when Tenant creates an S3 object it is logged as an object owner unless it transfers ownership.

If Tenant is then deleted, Audit will loose access to the bucket. Ownership can be relinquished using simple setting of ACL;

Clarify:

  • It seems that there is a global setting "bucket owner preferred" that achieves just that

https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#enable-object-ownership
https://www.amazonaws.cn/en/new/2020/amazon-s3-object-ownership-enables-bucket-owners-to-automatically-assume-ownership-of-objects-uploaded-to-their-buckets/
@klizhentas klizhentas added the feature-request Used for new features in Teleport, improvements to current should be #enhancements label Aug 11, 2021
@russjones russjones added the c-ca Internal Customer Reference label Sep 23, 2021
@atburke
Copy link
Contributor

atburke commented Oct 16, 2021

I'm thinking that the user workflow should look something like this:

  • Bucket owner sets Object Ownership to "Bucket owner preferred".
  • Teleport sends bucket-owner-full-control ACL when uploading audit logs. We can add a new boolean var to teleport.yaml to signal when to do this (I'm currently also calling it bucket_owner_full_control). This is enough to transfer ownership.
  • To enforce the transfer, include this in the bucket policy:
{
    "Version": "2012-10-17",
    "Id": "[id]",
    "Statement": [
        {
            "Sid": "[sid]",
            "Effect": "Allow",
            "Principal": {
                "AWS": "[arn of Tenant]"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::Logs/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

@russjones
Copy link
Contributor

@stevenGravy Can you take a look?

@atburke atburke mentioned this issue Nov 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atburke atburke

Labels
c-ca Internal Customer Reference feature-request Used for new features in Teleport, improvements to current should be #enhancements
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable canned ACL for S3 gravitational/teleport
3 participants
@klizhentas @russjones @atburke