adnanhemani commented on PR #1424:
URL: https://github.com/apache/polaris/pull/1424#issuecomment-2840027353

   Synced offline with @collado-mike - while there is still not an issue with 
users who are _only using_ SSE, if the user is using CSE anywhere else within 
their AWS account, this could present a security issue as credentials vended by 
Polaris could be used by a malicious user against CSE objects. Rather than 
supporting this feature in this way using a warning to the customer about the 
potential security side effects of enabling both CSE and SSE, I think we will 
have to hold the line on ensuring that the credentials are scoped in a more 
restrictive way.
   
   Found some examples on how to use EncryptionContext and `kms:ViaService` 
that we can add to this PR that should help bring the right amount of 
restrictions: 
https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#replications
 (Look for the header: "Example – Using SSE-KMS with separate destination 
buckets")
   
   I'm still forming an opinion on if "*" resources are acceptable if we use 
both the EncryptionContext and (potentially, if we want to restrict to SSE) 
`kms:ViaService`. The attack vector that Mike is trying to point out above is 
mitigated when using EncryptionContext - so I'm still trying to see if there's 
a way for the wildcard resources to be exploited.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to