Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it

Error: Glacier Vault access policy is public and not restricted to specific services or principals

Bridgecrew Policy ID: BC_AWS_GENERAL_90
Checkov Check ID: CKV_AWS_167
Severity: MEDIUM

Suggest Edits

Glacier Vault access policy is public and not restricted to specific services or principals

Description

TBD

Fix - Buildtime

Terraform

Resource: aws_glacier_vault
Argument: Statement

resource "aws_glacier_vault" "my_archive1" {
  ...
  access_policy = <<EOF
{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Sid": "add-read-only-perm",
          "Principal": "*",
       +  "Effect": "Deny",
          "Action": [
             "glacier:InitiateJob",
             "glacier:GetJobOutput"
          ],
          "Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
       }
    ]
    }
}

Updated about 1 year ago

Did this page help you?