You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@datalab.apache.org by ol...@apache.org on 2022/03/14 13:19:38 UTC
[incubator-datalab] branch security/DLAB-2883 updated: encryption in transit bucket policy
This is an automated email from the ASF dual-hosted git repository.
olehmykolaishyn pushed a commit to branch security/DLAB-2883
in repository https://gitbox.apache.org/repos/asf/incubator-datalab.git
The following commit(s) were added to refs/heads/security/DLAB-2883 by this push:
new 16d16ad encryption in transit bucket policy
16d16ad is described below
commit 16d16add6ad8f9afa4a93571eb454030801ad6eb
Author: oleh_mykolaishyn <ow...@gmail.com>
AuthorDate: Mon Mar 14 15:19:22 2022 +0200
encryption in transit bucket policy
---
.../src/general/lib/aws/actions_lib.py | 26 ++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/infrastructure-provisioning/src/general/lib/aws/actions_lib.py b/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
index a22c90a1..d74b6dc 100644
--- a/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
+++ b/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
@@ -98,6 +98,32 @@ def create_s3_bucket(bucket_name, bucket_tags, region, bucket_name_tag, bucket_v
'RestrictPublicBuckets': True
})
+ # Configuring bucket policy to ensure encryption in transit
+ bucket_policy = {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Deny",
+ "Principal": {"AWS": "*"},
+ "Action": "s3:*",
+ "Resource": [
+ f"arn:aws:s3:::{bucket_name}",
+ f"arn:aws:s3:::{bucket_name}/*"
+ ],
+ "Condition": {
+ "Bool": {"aws:SecureTransport": "false"}
+ }
+ }]
+ }
+
+ # Convert the policy from Json dict to string
+ bucket_policy = json.dumps(bucket_policy)
+
+ boto3.client('s3', config=botoConfig(signature_version='s3v4')).put_bucket_policy(
+ Bucket=bucket_name,
+ Policy=bucket_policy
+ )
+
tags = list()
tags.append({'Key': os.environ['conf_tag_resource_id'],
'Value': os.environ['conf_service_base_name'] + ':' + bucket_name_tag})
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@datalab.apache.org
For additional commands, e-mail: commits-help@datalab.apache.org