*USER STORY:*

As a Customer, I want to make sure that the s3 bucket used on IAM OIDC setup is private when using CCO in manual STS on the IPI deployment, so that I can keep my account safe and make sure that no data will be shared publicity.

DESCRIPTION

CCO setup using manual STS uses AWS IAM OIDC and host JWKS (JSON Web Key Set) endpoint in a public s3 bucket. This bucket is created by ccoctl on the setup. This bucket is public by default as the AWS IAM OIDC is used "establish trust between an OIDC-compatible IdP and your AWS account"[1] using S3 bucket endpoint set when the IdP is created  .

@jdiaz collected the Trail request to bucket and observed that the event to "GetObject" key ".well-known/openid-configuration" on bucket was from an 'sourceIPAddress="AWS Internal"' and  'userIdentity.accountId=ANONYMOUS_PRINCIPAL"' . (the full event is attached)

The interesting looking the event is that eventSource is the S3 URL. The S3 access log might be helpful on this investigation.

We need to research if we can restrict the bucket from public access without impacting in IAM OIDC behavior.

Some components to check the solution:

• bucket policies restricting access only from OIDC managed service (we need to explore more to understand what kind of access it needs)
• S3 and STS VPC service endpoint to restrict access from internal VPC only

 (WIP deliveries)

Engineering details:

• https://docs.openshift.com/container-platform/4.9/authentication/managing_cloud_provider_credentials/cco-mode-sts.html#cco-ccoctl-cr[…]_cco-mode-sts

[1] "IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard"
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html