Fix: Alarm api_unauthorized for HeadBucket from AWS Config (#6134, PR #6842)

dsotirho-ucsc · dsotirho-ucsc · commit 8aa14dbe1fb7 · 2025-01-27T11:13:24.000-08:00
diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py
@@ -250,7 +250,12 @@ def conformance_pack(name: str) -> str:
                                 'Service': 'config.amazonaws.com'
                             },
                             'Action': ['s3:GetBucketAcl', 's3:ListBucket'],
-                            'Resource': '${aws_s3_bucket.aws_config.arn}'
+                            'Resource': '${aws_s3_bucket.aws_config.arn}',
+                            'Condition': {
+                                'StringEquals': {
+                                    'AWS:SourceAccount': config.aws_account_id
+                                }
+                            }
                         },
                         {
                             'Effect': 'Allow',
@@ -262,7 +267,8 @@ def conformance_pack(name: str) -> str:
                                         f'/*/AWSLogs/{config.aws_account_id}/Config/*',
                             'Condition': {
                                 'StringEquals': {
-                                    's3:x-amz-acl': 'bucket-owner-full-control'
+                                    's3:x-amz-acl': 'bucket-owner-full-control',
+                                    'AWS:SourceAccount': config.aws_account_id
                                 }
                             }
                         }

Original file line number	Diff line number	Diff line change
`@@ -250,7 +250,12 @@ def conformance_pack(name: str) -> str:`
`250`	`250`	`'Service': 'config.amazonaws.com'`
`251`	`251`	`},`
`252`	`252`	`'Action': ['s3:GetBucketAcl', 's3:ListBucket'],`
`253`		`- 'Resource': '${aws_s3_bucket.aws_config.arn}'`
	`253`	`+ 'Resource': '${aws_s3_bucket.aws_config.arn}',`
	`254`	`+ 'Condition': {`
	`255`	`+ 'StringEquals': {`
	`256`	`+ 'AWS:SourceAccount': config.aws_account_id`
	`257`	`+ }`
	`258`	`+ }`
`254`	`259`	`},`
`255`	`260`	`{`
`256`	`261`	`'Effect': 'Allow',`
`@@ -262,7 +267,8 @@ def conformance_pack(name: str) -> str:`
`262`	`267`	`f'//AWSLogs/{config.aws_account_id}/Config/',`
`263`	`268`	`'Condition': {`
`264`	`269`	`'StringEquals': {`
`265`		`- 's3:x-amz-acl': 'bucket-owner-full-control'`
	`270`	`+ 's3:x-amz-acl': 'bucket-owner-full-control',`
	`271`	`+ 'AWS:SourceAccount': config.aws_account_id`
`266`	`272`	`}`
`267`	`273`	`}`
`268`	`274`	`}`