merefield
September 13, 2018, 5:52pm
1
Getting an Access Denied issue in error log … which seems to be causing Sidekiq to stay paused after backups!! (which is interesting on its own) - is my access policy on IAM not generous enough?:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-discourse-backups"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-discourse-backups/*"
]
}
]
}
merefield
September 13, 2018, 6:01pm
2
Going to try an element of this policy here:
I noticed that all of the tutorials i found for Discourse S3 access granted the user absolute authority over the bucket – they allow ‘s3:*’ authority.
This is an extremely unwise policy, since it allows significantly more control over the bucket than is reasonable. Should you be using S3 for Discourse backup storage, a rampaging attacker would be able to delete your bucket and your backups on the way out.
There are two ways to combat this: One, a tighter policy…
{
"Version": "2012-10-17",…
merefield
September 13, 2018, 6:14pm
3
Went with policy in the guide, will monitor for a few days before accepting this as solution:
2 Likes
merefield
September 16, 2018, 11:31am
4
Actually had to use a slightly different policy to make mine work,
I had to add:
"s3:GetBucketLocation",
my top level one now looks like:
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:HeadBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
But otherwise based on:
2 Likes
system
October 16, 2018, 11:41am
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.