openraven / security-rules

Magpie security rules for AWS and GCP security configurations with policies mapping those rules to standards such as AWS CIS Benchmarks, PCI and HIPAA.
Apache License 2.0
8 stars 5 forks source link

S3 bucket replication JobStatus #7

Open belosh59 opened 3 years ago

belosh59 commented 3 years ago

In current API implementation of AWS Replication jobs for S3 buckets there is not Global flag assuming Replication is passed successfully or failed.

For now on for each object in S3 there is an attribute - replication status which reflect the state for replication of the specified object. https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-status.html That could make sense if replication is not an Atomic action and trying to replicate as much objects as possible. Object replication failure could be caused but ACL and other security and availability rules making it unaccessible for replication. (Todo: double check that statement)

Assuming above, we would need to grab metadata of all object in all buckets for specified region.

Screenshot 2021-07-30 at 16 09 34

On the bucket level it just the configuration for replication rule, for example surprise-bucket:

"replicationConfiguration": {
    "role": "arn:aws:iam::723176279592:role/jason-test-moped-MasterIamRole-JWNLPBPWH90W",
    "rules": [
      {
        "id": "test-rule-id",
        "filter": {
          "and": null,
          "tag": null,
          "prefix": null
        },
        "prefix": null,
        "status": "Enabled",
        "priority": 0,
        "destination": {
          "bucket": "arn:aws:s3:::gutenberg-project-saved-texts",
          "account": null,
          "metrics": null,
          "storageClass": null,
          "replicationTime": null,
          "encryptionConfiguration": null,
          "accessControlTranslation": null
        },
        "deleteMarkerReplication": {
          "status": "Disabled"
        },
        "sourceSelectionCriteria": null,
        "existingObjectReplication": null
      }
    ]
  },
curphey commented 3 years ago

Is this issue in the wrong repo ?

curphey commented 3 years ago

I think this is in the wrong repo ?