Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Optional Property to provide own iam.PolicyStatement for Bucket. #1012

Open
mrpackethead opened this issue Nov 6, 2023 · 2 comments

Comments

@mrpackethead
Copy link

I would like to be able to specify my own policy for the S3 bucket, rather than having to use the policy that is specified; Particually I would like to be able to specify that there is deny for all files, unless the the scan-status is is CLEAN. This requires the lambda to have run, and actively tagged it. As it sits, there is a possiblity that the lambda has not run, and an infected file could be read. Rather than change the exisiting behavior.

This would require an additional optional property

scannedbucketPolicyStatement?: iam.PolicyStatement | undefined

At line 581, of index.ts, we can use a nullish coaleser to either use the default policy or the supplied one.

const result: AddToResourcePolicyResult = bucket.addToResourcePolicy(
        this.getPolicyStatementForBucket(bucket),
      ) ?? props.scannedbucketPolicyStatement

I can provide a PR for this.

@dontirun
Copy link
Contributor

dontirun commented Nov 7, 2023

Do you have an example of a Bucket policy that can deny access to everything but the scanning lambda if untagged? I don't think allowing users to specify the bucket policy is a great idea since there are various components of this construct that depend upon the specifics of the policy

@mrpackethead
Copy link
Author

I think ( to be prooved ) that I should be able to create a policy that does that. While I agree with the sentiment about users creating policy that could break something.. Its on their head if they do..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants