Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review Permission Policies for Unsupported Condition Keys #308

Open
mattclay opened this issue Sep 6, 2024 · 3 comments
Open

Review Permission Policies for Unsupported Condition Keys #308

mattclay opened this issue Sep 6, 2024 · 3 comments

Comments

@mattclay
Copy link
Owner

mattclay commented Sep 6, 2024

The following notice was received from AWS regarding the account used to run integration tests:

We are contacting you because of a change we are making to Amazon Elastic Block Store (Amazon EBS) and the CreateVolume and CopySnapshot. To allow for more finely grained access controls, beginning October 14, 2024, we are launching support for AWS global condition keys and these seven EC2-specific keys for the source snapshot in your CopySnapshot and CreateVolume requests: ec2:ProductCode, ec2:Encrypted, ec2:VolumeSize, ec2:ParentSnapshot, ec2:Owner, ec2:ParentVolume and ec2:SnapshotTime. We identified your account has made calls to the CreateVolume or CopySnapshot with a permission policy currently using these condition keys, which we do not enforce in the above APIs following IAM policies. Therefore, at this time, calls to these APIs may be allowed, but after October 14, 2024, they may be denied based on the condition key rule set you have defined in your policies.

We recommend you take the following action by October 14, 2024 as calls to these APIs may fail because the condition keys will now be enforced:

Review your AWS CloudTrail logs for calls made to this API using the unsupported condition keys to ensure those calls succeeded as intended.

Check that your condition keys are configured appropriately. For example, if you allow principals to copy snapshots only if the source snapshot's owner is created with assigned EC2 account owner ec2:Owner (for example, ec2:Owner = account-id-2). Please review your allocated account holder is correct or shall be updated.

For a list of the supported condition keys, please refer to the "Actions, resources, and condition keys for Amazon EC2" documentation [1].

If you have any questions or concerns, please contact Amazon Web Services Support [2].

[1] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
[2] https://aws.amazon.com/contact-us/
@mattclay
Copy link
Owner Author

mattclay commented Sep 6, 2024

@gravesm Can you investigate this to see if there will be any impact to the tests?

@gravesm
Copy link
Collaborator

gravesm commented Sep 9, 2024

I can't find that we're using any of these conditions, so it doesn't look to me like this change will affect anything. I asked @GomathiselviS and @alinabuzachis to also take a look at this, though.

@GomathiselviS
Copy link
Contributor

I can't find any of our tests utilizing these condition keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattclay @gravesm @GomathiselviS