Open mikegrima opened 1 year ago
To remove S3 bucket root policy, set skip_bucket_root_access=true
under the remote state config.
In either case, terragrunt should not attempt to add this policy in.
Just chatted with the S3 team about this and apparently, their S3 bucket policy change logic is ONLY affecting DENY policies and NOT allow policies. As such, this is not a security problem, but is lint on the policy.
Permitting the account root is a noop and doesn't actually do anything. Thus, this is low priority.
Hello:
EDIT: This only affects deny policies. Allow policies on the account root is lint and does nothing, so it's not harmful to have on the bucket policy, but doesn't help the policy either.
AWS has sent out notices to their customers that S3 bucket policies permitting the same-account root account principal:
arn:aws:iam::BUCKET-OWNING-ACCOUNT:root
will have a logic change with serious security impacts. Before June 2023, this policy is a no-op. It has no effect as theroot
principal of the account has full access to all resources within it, and IAM on the account has the authority to delegate access to the buckets via Roles, Users, Managed Policies, and Groups.After June of 2023, the policy change will apply to all IAM Principals in that account instead of applying to only the account's root identity.
This means that any S3 bucket with the same/bucket-owning account root ARN principal will be accessible by any and all IAM principals in the AWS account that the S3 bucket resides in!
This affects the state S3 bucket! The code here will place this policy on the state bucket: https://github.com/gruntwork-io/terragrunt/blob/a9df21fae6041de444a3a66154f7ccda97548ba4/remote/remote_state_s3.go#L834-L909
Unfortunately, AWS has not documented this publicly, but the email that many customers are receiving looks like this:
We have gone through and internally removed these policies from all of our S3 buckets. However, doing this will result in the following notice from Terragrunt:
The code for adding the same-account root access should be removed.
Versions