cellxgene icon indicating copy to clipboard operation
cellxgene copied to clipboard

Published 20 hours ago verified publisher icon chanzuckerberg

overly broad access to s3 buckets for hosted-cellxgene-service-role-policy-*

Open MDunitz opened this issue 3 years ago • 3 comments

The hosted-cellxgene-service-role-policy-* has list and get permissions for all s3 buckets. This is a potential security concern and it might be safer to limit it to arn:…:host-cellxgene*

-- however this is a chesterton's fence scenario as I'm not sure why it has such broad access and it is possible that limiting it will break something

MDunitz avatar Aug 11 '20 20:08 MDunitz

@maniarathi to triage

signechambers1 avatar Oct 20 '20 18:10 signechambers1

I briefly chatted with Eduardo about this. The simple solution here is to move lines 42-43 into the block that is 51-52 in the file right now (here).

The tricky thing will be to ensure that we run enough tests and such to make sure that it doesn't break.

maniarathi avatar Oct 21 '20 15:10 maniarathi

I'm marking this as a P2 for now -- it would be nice to get to, to tighten up security and the longer we wait, the more of a pain it might get with added Infra complexity, but we don't have to do it right now.

maniarathi avatar Oct 21 '20 15:10 maniarathi

2 years w/o an incident related to perms; closing

atolopko-czi avatar Oct 21 '22 14:10 atolopko-czi