Closed bwbaker1 closed 3 weeks ago
@wrynearson Any idea on when this can be addressed so that I can let MCP know?
@bwbaker1 is there any deadline we should be aware of? If the OIDC role we have has enough access, we can do that fairly easily. If not, we'll have to coordinate with some folks with MCP access, but it also shouldn't be too difficult.
@wrynearson The deadline is August 16th. I think we can get it extended a bit if needed.
We'll need @jjfrench's support on this, and he'll need access that he currently doesn't have – see https://github.com/NASA-IMPACT/nasa-apt/issues/882#issuecomment-2269856821
Never mind, @jjfrench has access as of Tuesday
@jjfrench Do you have an update on this ticket? This is from MCP today:
@bwbaker1 Sorry, I didn't see the notifications on this ticket. I don't seem to have the necessary permissions in MCP to modify the Origin Access settings to apply this change.
@jjfrench Thank you!
Ah, I was mistaken - elevated permissions do enable this setting - I'll have to request access through NAMS
I received elevated privileges yesterday. OAC now configured for all CloudFront distributions, so we should be passing the control for purposes of this ticket.
I can't remove the "PublicReadGetObject" statement on the algorithm-publication-tool bucket policy though. My assumption would be that the website endpoint is being used somewhere for the redirect rather than the related CloudFront distribution domain name
Description:
MCP and Tenants have a shared responsibility to ensure compliance with the MCP System Security Plan. AWS Security Hub has identified non-compliance with the OAC configuration for CloudFront distributions using Amazon S3 origins - CloudFront distributions should use OAC.
AWS recommends configuring OAC. OAC restricts access to content in the S3 bucket only through the specified CloudFront distribution, enhancing security by preventing direct access from the bucket to other distributions.
Refer the the Amazon CloudFront Developer Guide for instructions on "Restricting access to an Amazon S3 origin."
Acceptance Criteria: