Skip to content

Glacier Vault access policy is public and not restricted to specific services or principals

Description

It is generally a best practice to restrict access to Amazon S3 Glacier vaults to only the specific services or principals that require access. This can help to reduce the risk of unauthorized access to the data stored in your vaults and protect against potential data breaches.

Fix - Buildtime

Terraform

  • Resource: aws_glacier_vault
  • Argument: Statement

go aws_s3_bucket.test.tf resource "aws_glacier_vault" "my_archive1" { ... access_policy = <<EOF { "Version":"2012-10-17", "Statement":[ { "Sid": "add-read-only-perm", "Principal": "*", + "Effect": "Deny", "Action": [ "glacier:InitiateJob", "glacier:GetJobOutput" ], "Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive" } ] } }