Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-26793

Encryption is not configured on S3 buckets created by repository manager when S3 Blobstores are created

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.19.0, 3.29.2
    • Fix Version/s: None
    • Component/s: S3
    • Labels:
    • Notability:
      3

      Description

      Problem

      S3 blobstores support S3 Encryption as per NEXUS-17797.

      Further when creating an S3 blobstore, NXRM will use the S3 REST API to create the actual bucket if it does not exist.

      When NXRM creates or modifies the bucket, and encryption settings are configured in the blobstore config, the Bucket will not reflect the encryption settings. If you go to the S3 Bucket Properties tab -> Encryption Settings, then you will notice Encryption is not enabled.

      However operations that actually store objects in the bucket will ask that the object is encrypted according to the configured blobstore settings.

      API that actually enables encryption on the bucket
      https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/s3/S3Client.html#putBucketEncryption-java.util.function.Consumer-

      NXRM does not call this API, hence this seemingly explains why when viewing the bucket encryption is not enabled by default.

      https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html#API_PutBucketEncryption_RequestSyntax

      There are options that can be implemented in S3 that prevent deploying objects that are not encrypted:

      https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

      Expected

      If a create S3 blobstore operation actually creates an S3 bucket, then use the appropriate REST API to enable encryption on the bucket if possible

      Define how create/update blobstore config operations and failure modes need to work, if encryption settings are modified in the NXRM config and the bucket already exists.

      What happens if bucket does not have a matching encryption setting after creating /updating a blobstore inside an existing bucket (prefix for example).

      Possibly if the encryption settings of a blobstore do not match those already configured on the bucket, report this?

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Rich Seddon Rich Seddon
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title