diff --git a/controlpanel/api/aws.py b/controlpanel/api/aws.py index 626b7d634..61e7e2fa0 100644 --- a/controlpanel/api/aws.py +++ b/controlpanel/api/aws.py @@ -96,14 +96,14 @@ def iam_assume_role_principal(): "Version": "2012-10-17", "Statement": [ { - "Sid": "console", + "Sid": "ListUserBuckets", "Action": [ - "s3:GetBucketLocation", "s3:ListAllMyBuckets", - "s3:ListBucketVersions", + "s3:ListAccessPoints", + "s3:GetAccountPublicAccessBlock" ], "Effect": "Allow", - "Resource": ["arn:aws:s3:::*"], + "Resource": "*", }, ], } @@ -112,6 +112,8 @@ def iam_assume_role_principal(): 's3:GetObject', 's3:GetObjectAcl', 's3:GetObjectVersion', + "s3:GetObjectVersionAcl", + "s3:GetObjectVersionTagging" ] WRITE_ACTIONS = [ @@ -122,12 +124,23 @@ def iam_assume_role_principal(): 's3:RestoreObject', ] +LIST_ACTIONS = [ + "s3:ListBucket", + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketPolicyStatus", + "s3:GetBucketTagging", + "s3:GetBucketPolicy", + "s3:GetBucketAcl", + "s3:GetBucketCORS", + "s3:GetBucketVersioning", + "s3:GetBucketLocation", + "s3:ListBucketVersions", +] + BASE_S3_ACCESS_STATEMENT = { 'list': { 'Sid': 'list', - 'Action': [ - 's3:ListBucket', - ], + 'Action': LIST_ACTIONS, 'Effect': 'Allow', }, 'readonly': { diff --git a/tests/api/test_aws.py b/tests/api/test_aws.py index 6d96dd27e..b6fc59b0e 100644 --- a/tests/api/test_aws.py +++ b/tests/api/test_aws.py @@ -475,11 +475,11 @@ def test_create_group(iam, settings): pd = policy.default_version.document stmt = pd['Statement'][0] assert stmt['Action'] == [ - 's3:GetBucketLocation', - 's3:ListAllMyBuckets', - 's3:ListBucketVersions', + "s3:ListAllMyBuckets", + "s3:ListAccessPoints", + "s3:GetAccountPublicAccessBlock" ] - assert stmt['Resource'] == ['arn:aws:s3:::*'] + assert stmt['Resource'] == "*" assert stmt['Effect'] == 'Allow'