Fix permissive access policy for backup vaults

rebuy-de · Oct 28, 2023 · 4192726 · 4192726
1 parent 4e8c0c5
commit 4192726
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/resources/backup-vaults-access-policies.go b/resources/backup-vaults-access-policies.go
@@ -3,18 +3,28 @@ package resources
 import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/backup"
+	"github.com/aws/aws-sdk-go/service/sts"
 )
 
 type BackupVaultAccessPolicy struct {
 	svc             *backup.Backup
 	backupVaultName string
+	accountId       string
 }
 
 func init() {
 	register("AWSBackupVaultAccessPolicy", ListBackupVaultAccessPolicies)
 }
 
 func ListBackupVaultAccessPolicies(sess *session.Session) ([]Resource, error) {
+	// Lookup current account ID, which is required for building a permissive vault policy
+	stsSvc := sts.New(sess)
+	identity, err := stsSvc.GetCallerIdentity(&sts.GetCallerIdentityInput{})
+	if err != nil {
+		return nil, err
+	}
+	accountId := *identity.Account
+
 	svc := backup.New(sess)
 	maxVaultsLen := int64(100)
 	params := &backup.ListBackupVaultsInput{
@@ -50,6 +60,7 @@ func ListBackupVaultAccessPolicies(sess *session.Session) ([]Resource, error) {
 			resources = append(resources, &BackupVaultAccessPolicy{
 				svc:             svc,
 				backupVaultName: *out.BackupVaultName,
+				accountId:       accountId,
 			})
 		}
 	}
@@ -95,7 +106,7 @@ func (b *BackupVaultAccessPolicy) Remove() error {
         {
             "Effect": "Allow",
             "Principal": {
-                "AWS": "*"
+                "AWS": "arn:aws:iam::` + b.accountId + `:root"
             },
             "Action": "backup:DeleteBackupVaultAccessPolicy",
             "Resource": "*"