bwbaker1
commented
2 months ago @wrynearson Any idea on when this can be addressed so that I can let MCP know?
Closed bwbaker1 closed 3 weeks ago
bwbaker1
commented
2 months ago @wrynearson Any idea on when this can be addressed so that I can let MCP know?
wrynearson
commented
2 months ago @bwbaker1 is there any deadline we should be aware of? If the OIDC role we have has enough access, we can do that fairly easily. If not, we'll have to coordinate with some folks with MCP access, but it also shouldn't be too difficult.
bwbaker1
commented
2 months ago @wrynearson The deadline is August 16th. I think we can get it extended a bit if needed.
wrynearson
commented
2 months ago We'll need @jjfrench's support on this, and he'll need access that he currently doesn't have – see https://github.com/NASA-IMPACT/nasa-apt/issues/882#issuecomment-2269856821
wrynearson
commented
2 months ago Never mind, @jjfrench has access as of Tuesday
bwbaker1
commented
1 month ago @jjfrench Do you have an update on this ticket? This is from MCP today:
jjfrench
commented
1 month ago @bwbaker1 Sorry, I didn't see the notifications on this ticket. I don't seem to have the necessary permissions in MCP to modify the Origin Access settings to apply this change.
bwbaker1
commented
1 month ago @jjfrench Thank you!
jjfrench
commented
1 month ago Ah, I was mistaken - elevated permissions do enable this setting - I'll have to request access through NAMS
jjfrench
commented
3 weeks ago I received elevated privileges yesterday. OAC now configured for all CloudFront distributions, so we should be passing the control for purposes of this ticket.
I can't remove the "PublicReadGetObject" statement on the algorithm-publication-tool bucket policy though. My assumption would be that the website endpoint is being used somewhere for the redirect rather than the related CloudFront distribution domain name
Description:
MCP and Tenants have a shared responsibility to ensure compliance with the MCP System Security Plan. AWS Security Hub has identified non-compliance with the OAC configuration for CloudFront distributions using Amazon S3 origins - CloudFront distributions should use OAC.
AWS recommends configuring OAC. OAC restricts access to content in the S3 bucket only through the specified CloudFront distribution, enhancing security by preventing direct access from the bucket to other distributions.
Refer the the Amazon CloudFront Developer Guide for instructions on "Restricting access to an Amazon S3 origin."
Acceptance Criteria: