k9 Security is happy to share a new Terraform module to help you protect your data in AWS S3 and go fast, safely. The tf_s3_bucket Terraform module creates an AWS S3 bucket with safe defaults and a least privilege bucket policy built on the k9 access capability model. This library is designed to help Cloud teams create secure and robust S3 configurations, quickly and confidently.

The Problem

There are several problems engineers must solve when securing data in an S3 bucket, especially when sharing an AWS account. To secure your data, you’ll need to:

  1. configure several distinct S3 resources: the bucket, the bucket policy, ‘block public access’ configurations
  2. create security policies that allow access by authorized principals and denies everyone else
  3. adjust standard Terraform resource configurations which generally mirror AWS API defaults to current best practice
  4. capture enough context to scale security, governance, risk, and compliance activities efficiently

Configuring your intended access can be especially difficult. First there are complicated interactions between IAM and resource policies. Second, IAM policies without resource conditions (e.g. AWS Managed Policies) overprovision access to all resources of that API resource type. Learn more about why writing these security policies is hard in this blog post or video. A primary access control goal is to prevent an exploit of one application leading to the breach of another application’s data, e.g. a firewall role being used to steal credit application data.

This is difficult and time consuming.

We are fixing that.

Our Solution

The tf_s3_bucket module addresses these problems by helping you declare your intent and let the module worry about the details of configuring S3. Specify context about your use case and intended access, then the module will:

  • create a bucket named using your context
  • generate a least privilege bucket policy
  • configure encryption
  • apply appropriate tags
  • configure access logging
  • and more

This module’s key innovation is defining who should have access to the bucket in terms of k9’s access capability model. The k9 access capability model is designed to be understandable by the entire Cloud team, not just AWS Security Experts. Instead of writing a least privilege access policy directly in terms of API actions like s3:GetObject, you declare which people or applications should be able to:

  • administer-resource
  • read-data
  • write-data
  • delete-data

The module supports managing a bucket or generating a policy for use with a bucket managed by other code.

Let’s see what managing a bucket looks like. Consider a bucket that will be used to store credit applications and that we want to enable the following access:

  • allow the ci IAM user to administer the bucket
  • allow the credit-processor role to read and write data from the bucket
  • deny all other access (this is the tricky bit!)

We might instantiate the module like this:

module "s3_bucket" {
  source = "[email protected]:k9securityio/tf_s3_bucket.git?ref=v0.1.0"
  # the logical name for the use case, e.g. docs, reports, media, backups 
  logical_name = "credit-applications"
  # the region to create the bucket in
  region       = "us-east-1"

  logging_target_bucket = "name of the bucket to log to, e.g. my-logs-bucket"

  org   = "bank"
  owner = "credit"
  env   = "prod"
  app   = "credit-processor"

  # specify who _should_ have access
  allow_administer_resource_arns = ["arn:aws:iam::12345678910:user/ci"]
  allow_read_data_arns = ["arn:aws:iam::12345678910:role/credit-processor"]
  allow_write_data_arns = ["arn:aws:iam::12345678910:role/credit-processor"]

This module is designed to be understood by all the people on your Cloud application delivery team, platform team, and security team. It automates configuration of S3 according to security best practice. Additionally, it captures the context your team needs to help governance and finance teams get their jobs done.

Can we help?

We are happy to help you protect your data with this module for S3 bucket or policy management and incorporate your feedback.

This module is currently at MVP status, v0.1.0. We will incorporate feedback over the next few weeks on our way to v1.0.0 targeted for the end of June.

What’s good, bad, difficult, easy?


k9 Security