Impact
This issue impacts all users that fall under the following category. All buckets with object
locking under governance mode. Now on those buckets if you specifically added a Deny
statement on s3:ByPassGoverance. It shall not be honored correctly if you have an Allow
statement with all S3 actions s3:*
.
For example:
{
"Version": "2012-10-17",
"Statement": [
{ "Effect": "Deny", "Action": ["s3:BypassGovernanceRetention"], "Resource": ["arn:aws:s3:::*"] },
{ "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::*"] }
]
}
Ideally, we should return "Access Denied" to all users attempting to DELETE a versioned object
accompanied by a header X-Amz-Bypass-Governance-Retention: true
to request a bypass
on the governance mode. In this scenario, the caller would succeed in deleting the content.
All users are advised to upgrade to RELEASE.2023-02-17T17-52-43Z to get the relevant fix and protection.
Additionally please review all your IAM policies for any such occurrences.
Patches
commit a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485
Author: Anis Elleuch <vadmeste@users.noreply.github.com>
Date: Fri Feb 17 03:23:34 2023 +0100
fix: evaluate BypassGov policy action in deletion correctly (#16635)
References
Feel free to reach out to us if you have more questions
Impact
This issue impacts all users that fall under the following category. All buckets with object
locking under governance mode. Now on those buckets if you specifically added a
Deny
statement on s3:ByPassGoverance. It shall not be honored correctly if you have an
Allow
statement with all S3 actions
s3:*
.For example:
Ideally, we should return "Access Denied" to all users attempting to DELETE a versioned object
accompanied by a header
X-Amz-Bypass-Governance-Retention: true
to request a bypasson the governance mode. In this scenario, the caller would succeed in deleting the content.
All users are advised to upgrade to RELEASE.2023-02-17T17-52-43Z to get the relevant fix and protection.
Additionally please review all your IAM policies for any such occurrences.
Patches
References
Feel free to reach out to us if you have more questions