topic Re: How to (easily) deny access for bucket containing secure data ? in Open Q&A

How to (easily) deny access for bucket containing secure data ?

josef_solnicky — Thu, 05 Dec 2024 14:58:43 GMT

We created log bucket for secure data + Allow policy for special group - but probably because of default policy "Storage Logs Read" - anyboddy still can access those logs.
Cannot find any example in Docs.

Is there any easy solution ? Or do we need to DENY access from other groups ??

BR, Josef

Re: How to (easily) deny access for bucket containing secure data ?

Peter_Youssef — Thu, 05 Dec 2024 18:06:40 GMT

Hi @josef_solnicky

PFA Dynatrace Resource that contains answer to the related storage policy:

https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/advanced/iam-policystatements#storage

BR,

Peter

Re: How to (easily) deny access for bucket containing secure data ?

AntonioSousa — Thu, 05 Dec 2024 20:49:19 GMT

@josef_solnicky,

This is my usual strategy among my clients, but I'm also open to new ideas:

Logs for each group/application goes into certain buckets.
No one has access to global logs (yeah, except adminns)
I give the following minimal policies to each group. Of course, you can add other functionalities, but this is the bare minimum I've got working. I still have to work on hardening the last two lines. Please notice you have to define the condition for storage:logs:read

ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.classic.logs.events";
ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.notebooks";
ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.logs";
ALLOW storage:buckets:read WHERE storage:bucket-name = "special_bucket";
ALLOW storage:logs:read WHERE storage:k8s.cluster.name = "special_k8s";
ALLOW document:environment-shares:read;
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, app-settings:objects:read, app-settings:objects:write;
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;

Re: How to (easily) deny access for bucket containing secure data ?

Peter_Youssef — Fri, 06 Dec 2024 14:05:30 GMT

Thanks @AntonioSousa for detailed description.

Re: How to (easily) deny access for bucket containing secure data ?

josef_solnicky — Tue, 10 Dec 2024 07:44:02 GMT

Thank you Antonio !

Trying to implement it in first case - in fact just the log part now
ALLOW storage:buckets:read WHERE storage:bucket-name = "special_bucket";
Plus removing the "Read Logs" and "Environment role - View logs" policies.

BR, Josef

Re: How to (easily) deny access for bucket containing secure data ?

josef_solnicky — Wed, 22 Jan 2025 14:15:20 GMT

Hi Antonio,
how you are defining access to PARTICULAR standard entities and metrics - hosts, processes, services, requests, traces, apps, user actions ? Via policy boundaries ?
Are you still using management zones ?
BR, Josef

Re: How to (easily) deny access for bucket containing secure data ?

panumjp — Mon, 17 Mar 2025 14:40:49 GMT

Josef, did you find solution for that? I am currently trying to figure out what is the best way to control access to entities and data in Kubernetes, Problems and Logs application.

I believe this is a very common use case, yet I haven't been able to find any good examples!