You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@datalab.apache.org by ol...@apache.org on 2022/03/14 13:19:38 UTC

[incubator-datalab] branch security/DLAB-2883 updated: encryption in transit bucket policy

This is an automated email from the ASF dual-hosted git repository.

olehmykolaishyn pushed a commit to branch security/DLAB-2883
in repository https://gitbox.apache.org/repos/asf/incubator-datalab.git


The following commit(s) were added to refs/heads/security/DLAB-2883 by this push:
     new 16d16ad  encryption in transit bucket policy
16d16ad is described below

commit 16d16add6ad8f9afa4a93571eb454030801ad6eb
Author: oleh_mykolaishyn <ow...@gmail.com>
AuthorDate: Mon Mar 14 15:19:22 2022 +0200

    encryption in transit bucket policy
---
 .../src/general/lib/aws/actions_lib.py             | 26 ++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/infrastructure-provisioning/src/general/lib/aws/actions_lib.py b/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
index a22c90a1..d74b6dc 100644
--- a/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
+++ b/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
@@ -98,6 +98,32 @@ def create_s3_bucket(bucket_name, bucket_tags, region, bucket_name_tag, bucket_v
                 'RestrictPublicBuckets': True
             })
 
+        # Configuring bucket policy to ensure encryption in transit
+        bucket_policy = {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Deny",
+                    "Principal": {"AWS": "*"},
+                    "Action": "s3:*",
+                    "Resource": [
+                        f"arn:aws:s3:::{bucket_name}",
+                        f"arn:aws:s3:::{bucket_name}/*"
+                    ],
+                    "Condition": {
+                        "Bool": {"aws:SecureTransport": "false"}
+                    }
+                }]
+        }
+
+        # Convert the policy from Json dict to string
+        bucket_policy = json.dumps(bucket_policy)
+
+        boto3.client('s3', config=botoConfig(signature_version='s3v4')).put_bucket_policy(
+            Bucket=bucket_name,
+            Policy=bucket_policy
+        )
+
         tags = list()
         tags.append({'Key': os.environ['conf_tag_resource_id'],
                      'Value': os.environ['conf_service_base_name'] + ':' + bucket_name_tag})

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@datalab.apache.org
For additional commands, e-mail: commits-help@datalab.apache.org