Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
Error: Glacier Vault access policy is public and not restricted to specific services or principals
Bridgecrew Policy ID: BC_AWS_GENERAL_90
Checkov Check ID: CKV_AWS_167
Severity: MEDIUM
Glacier Vault access policy is public and not restricted to specific services or principals
Description
It is generally a best practice to restrict access to Amazon S3 Glacier vaults to only the specific services or principals that require access. This can help to reduce the risk of unauthorized access to the data stored in your vaults and protect against potential data breaches.
Fix - Buildtime
Terraform
- Resource: aws_glacier_vault
- Argument: Statement
resource "aws_glacier_vault" "my_archive1" {
...
access_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "add-read-only-perm",
"Principal": "*",
+ "Effect": "Deny",
"Action": [
"glacier:InitiateJob",
"glacier:GetJobOutput"
],
"Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
}
]
}
}
Updated 11 months ago