From b12f46b932357f849610db54201ecaa06bd3481d Mon Sep 17 00:00:00 2001 From: Kazunori Kajihiro Date: Fri, 29 Sep 2017 15:27:08 +0900 Subject: [PATCH] Resource based s3:GetObject ACL for container instances --- lib/barcelona/network/vpc_builder.rb | 11 +++++++++-- spec/lib/barcelona/network/network_stack_spec.rb | 11 +++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/lib/barcelona/network/vpc_builder.rb b/lib/barcelona/network/vpc_builder.rb index 3be74cc6..d89cc8ff 100644 --- a/lib/barcelona/network/vpc_builder.rb +++ b/lib/barcelona/network/vpc_builder.rb @@ -323,10 +323,17 @@ def build_resources "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", - "s3:Get*", - "s3:List*" ], "Resource" => ["*"] + }, + { + "Effect" => "Allow", + "Action" => [ + "s3:GetObject" + ], + "Resource" => [ + "arn:aws:s3:::#{stack.district.s3_bucket_name}/#{stack.district.name}/*" + ] } ] } diff --git a/spec/lib/barcelona/network/network_stack_spec.rb b/spec/lib/barcelona/network/network_stack_spec.rb index 75c1d325..369b4390 100644 --- a/spec/lib/barcelona/network/network_stack_spec.rb +++ b/spec/lib/barcelona/network/network_stack_spec.rb @@ -485,10 +485,17 @@ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", - "s3:Get*", - "s3:List*" ], "Resource"=>["*"] + }, + { + "Effect" => "Allow", + "Action" => [ + "s3:GetObject" + ], + "Resource" => [ + "arn:aws:s3:::#{district.s3_bucket_name}/#{district.name}/*" + ] } ] }