Currently it appears that the S3 config buckets (e.g. hacko-budget-config) are readable by Authenticated Users.
This isn't a big deal for the moment but as soon as we have production secrets there we'll need to make sure that only the AWS IAM ID and ECS cluster have the ability to read from each of these buckets.
the ARN corresponding to the IAM user that matches the AWS_ACCESS_KEY_ID that each backend project's Travis repo has been configured to use in the getconfig.sh script
I don't currently have sufficient authorization to determine which IAM user represents e.g. the AWS_ACCESS_KEY_ID used by the team-budget Travis repo, so at the moment I haven't proceeded with implementing this policy in the hacko-budget-config repo to enable me to test that the Travis build still succeeds.
Currently it appears that the S3 config buckets (e.g.
hacko-budget-config
) are readable by Authenticated Users.This isn't a big deal for the moment but as soon as we have production secrets there we'll need to make sure that only the AWS IAM ID and ECS cluster have the ability to read from each of these buckets.
I've looked into the bucket-level permissions and we should be able to lock these down with an AWS Policy such as you can author here: http://awspolicygen.s3.amazonaws.com/policygen.html
These are the fields we need to fill in:
Presumably we'll need to add two ARN's:
getconfig.sh
scriptI don't currently have sufficient authorization to determine which IAM user represents e.g. the AWS_ACCESS_KEY_ID used by the
team-budget
Travis repo, so at the moment I haven't proceeded with implementing this policy in thehacko-budget-config
repo to enable me to test that the Travis build still succeeds.