IAM and bucket policy for S3 access

I noticed that all of the tutorials i found for Discourse S3 access granted the user absolute authority over the bucket – they allow ‘s3:*’ authority.

This is an extremely unwise policy, since it allows significantly more control over the bucket than is reasonable. Should you be using S3 for Discourse backup storage, a rampaging attacker would be able to delete your bucket and your backups on the way out.

There are two ways to combat this: One, a tighter policy…

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:Get*",
                "s3:AbortMultipartUpload",                
                "s3:DeleteObject",               
                "s3:PutObject"               
            ],
            "Resource": [
                "arn:aws:s3:::whatever-bucket",
                "arn:aws:s3:::whatever-bucket/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

… and two, apply some sensible precautions to the bucket policy. (This is actually well beyond what the actual minimum would need to be, but I was in a hurry and didn’t have time to experiment, and it’s better than what I found.) I’d recommend turning on versioning, and then setting a lifecycle rule for “previous versions” that sees them reaped after a reasonable time, like 21 days. The given policy would permit log rotation and file deletion, but it would not allow the S3-credentialed user access to restore or purge previous versions, and that means that although they could delete a backup, a rampaging attacker couldn’t wipe it from the version history before an administrator with root credentials could salvage it.

Thanks!

5 Likes

This is good advice, certainly, but I’m unsure Discourse should really be considered responsible for giving out advice about S3 best practices?

We could put a note / reminder in the help text for the field, if it can be kept short.

Oh, I’m sorry – I wasn’t trying to suggest you /should/ be; certainly I don’t know where you’d put it. I just found that when I Googled “Discourse S3 IAM” all of the example policies were the same awful wide-open one, so I’m reporting what I did instead of that.

(That’s why I seperated this thread from the other.)

Were those examples here on meta.discourse.org? If they’re in a #howto you might be able to edit them, or you could draft your own and get it moved into #howto:sysadmin.

My take on this is that our responsibility for S3 advice is about the same as our advice on things like TLS configs (which we do update on occasion). We should try to stay “safe by default”, because we know that just about everyone’s going to blindly use whatever we suggest, because very few people know what any of this magic actually does. Our as-close-to-official-as-we-get guide on setting up S3 does suggest using the wide-open policy, so I’ll fix that up to be more sensible.

@Asher_Densmore-Lynn: if you find any other examples of problematic IAM policies floating around anywhere we can control (here on meta, git repos under the discourse GitHub user, that sort of thing), feel free to let us (me) know (with a specific reference to what’s problematic; everyone’s Google search results are different), and I’ll get it fixed.

7 Likes

Sure, and thanks! I hope you add the part about the bucket versioning – keeping your backups safe from catastrophe is hard to do when you have to allow rotation and deletion. If you need me to go into more detail or explain it better I’ll be happy to oblige.

One thing to bear in mind is that the howto I linked above is about asset upload, not backups. The policy required for that is likely to be somewhat different to one required for backups. Also, that howto assumes that Discourse will be creating the bucket, and adding instructions on manually adding versioning and rotation would significantly complicate what is already a bit of a bear of a process. If the versioning/rotation settings can be set at creation time (without opening up the IAM policy to allow an attacker to remove those attributes later), then a PR to Discourse to add that ability (even by default) wouldn’t be a bad idea. Otherwise, I think it’s best if you write a separate “Discourse S3 201: Securitay!” topic, that can be linked from the main howto.

2 Likes

I looked at that setup guide – be aware that that bucket creation will fail with those permissions. You’ll want to add s3:CreateBucket if that’s something you want to keep.

2 Likes

I already added that action.

2 Likes