cellxgene
cellxgene copied to clipboard
overly broad access to s3 buckets for hosted-cellxgene-service-role-policy-*
The hosted-cellxgene-service-role-policy-* has list and get permissions for all s3 buckets. This is a potential security concern and it might be safer to limit it to arn:…:host-cellxgene*
-- however this is a chesterton's fence scenario as I'm not sure why it has such broad access and it is possible that limiting it will break something
@maniarathi to triage
I briefly chatted with Eduardo about this. The simple solution here is to move lines 42-43 into the block that is 51-52 in the file right now (here).
The tricky thing will be to ensure that we run enough tests and such to make sure that it doesn't break.
I'm marking this as a P2 for now -- it would be nice to get to, to tighten up security and the longer we wait, the more of a pain it might get with added Infra complexity, but we don't have to do it right now.
2 years w/o an incident related to perms; closing