Currently it appears that the S3 config buckets (e.g. hacko-budget-config) are readable by Authenticated Users.
This isn't a big deal for the moment but as soon as we have production secrets there we'll need to make sure that only the AWS IAM ID and ECS cluster have the ability to read from each of these buckets.
the ARN corresponding to the IAM user that matches the AWS_ACCESS_KEY_ID that each backend project's Travis repo has been configured to use in the getconfig.sh script
I don't currently have sufficient authorization to determine which IAM user represents e.g. the AWS_ACCESS_KEY_ID used by the team-budget Travis repo, so at the moment I haven't proceeded with implementing this policy in the hacko-budget-config repo to enable me to test that the Travis build still succeeds.
Currently it appears that the S3 config buckets (e.g.
hacko-budget-config) are readable by Authenticated Users.This isn't a big deal for the moment but as soon as we have production secrets there we'll need to make sure that only the AWS IAM ID and ECS cluster have the ability to read from each of these buckets.
I've looked into the bucket-level permissions and we should be able to lock these down with an AWS Policy such as you can author here: http://awspolicygen.s3.amazonaws.com/policygen.html
These are the fields we need to fill in:
Presumably we'll need to add two ARN's:
getconfig.shscriptI don't currently have sufficient authorization to determine which IAM user represents e.g. the AWS_ACCESS_KEY_ID used by the
team-budgetTravis repo, so at the moment I haven't proceeded with implementing this policy in thehacko-budget-configrepo to enable me to test that the Travis build still succeeds.