adnanhemani commented on PR #1424: URL: https://github.com/apache/polaris/pull/1424#issuecomment-2840027353
Synced offline with @collado-mike - while there is still not an issue with users who are _only using_ SSE, if the user is using CSE anywhere else within their AWS account, this could present a security issue as credentials vended by Polaris could be used by a malicious user against CSE objects. Rather than supporting this feature in this way using a warning to the customer about the potential security side effects of enabling both CSE and SSE, I think we will have to hold the line on ensuring that the credentials are scoped in a more restrictive way. Found some examples on how to use EncryptionContext and `kms:ViaService` that we can add to this PR that should help bring the right amount of restrictions: https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#replications (Look for the header: "Example – Using SSE-KMS with separate destination buckets") I'm still forming an opinion on if "*" resources are acceptable if we use both the EncryptionContext and (potentially, if we want to restrict to SSE) `kms:ViaService`. The attack vector that Mike is trying to point out above is mitigated when using EncryptionContext - so I'm still trying to see if there's a way for the wildcard resources to be exploited. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
