Merge pull request #390 from asfadmin/devel

Allow S3 access originating from inside the VPC.
asfadmin · Aug 31, 2021 · 12aca42 · 12aca42
2 parents d29f639 + 821a9ec
commit 12aca42
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/cloudformation/thin-egress-app.yaml b/cloudformation/thin-egress-app.yaml
@@ -483,6 +483,7 @@ Resources:
           iam_role_name: !Ref DownloadRoleInRegion
           policy_name: !Sub "${AWS::StackName}-IamPolicyDownload"
           prefix: !Sub "${BucketnamePrefix}"
+          vpcid: !Sub "${PrivateVPC}"
       Timeout: !Ref LambdaTimeout
       Handler: update_lambda.lambda_handler
       Runtime: 'python3.7'

diff --git a/lambda/update_lambda.py b/lambda/update_lambda.py
@@ -61,6 +61,7 @@ def get_region_cidrs(current_region):
 
 
 def get_base_policy(prefix):
+    vpcid = os.getenv('vpcid')
     policy = """
 
     {
@@ -77,6 +78,23 @@ def get_base_policy(prefix):
                 """ + f'"arn:aws:s3:::{prefix}' + """*"
             ],
             "Effect": "Allow"
+        },
+        {
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:GetBucketLocation"
+            ],
+            "Resource": [
+                """ + f'"arn:aws:s3:::{prefix}' + """*/*",
+                """ + f'"arn:aws:s3:::{prefix}' + """*"
+            ],
+            "Effect": "Allow",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceVpc": """ + f'"{vpcid}"' + """
+                }
+            }
         }
     ]
 }