This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to (easily) deny access for bucket containing secure data ?

Go to solution
josef_solnicky
Helper

‎05 Dec 2024 02:58 PM

We created log bucket for secure data + Allow policy for special group - but probably because of default policy "Storage Logs Read" - anyboddy still can access those logs.
Cannot find any example in Docs.

Is there any easy solution ? Or do we need to DENY access from other groups ?? 

 

BR, Josef

Reply
4 REPLIES 4

Go to solution
Peter_Youssef
Champion

‎05 Dec 2024 06:06 PM

Hi @josef_solnicky 

PFA Dynatrace Resource that contains answer to the related storage policy:

BR,

Peter

0 Kudos
Reply

Go to solution
AntonioSousa
DynaMight Guru
DynaMight Guru

‎05 Dec 2024 08:49 PM

@josef_solnicky,

This is my usual strategy among my clients, but I'm also open to new ideas:

  1. Logs for each group/application goes into certain buckets.
  2. No one has access to global logs (yeah, except adminns)
  3. I give the following minimal policies to each group. Of course, you can add other functionalities, but this is the bare minimum I've got working. I still have to work on hardening the last two lines. Please notice you have to define the condition for storage:logs:read

    ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.classic.logs.events";
    ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.notebooks";
    ALLOW app-engine:apps:run WHERE shared:app-id = "dynatrace.logs";
    ALLOW storage:buckets:read WHERE storage:bucket-name = "special_bucket";
    ALLOW storage:logs:read WHERE storage:k8s.cluster.name = "special_k8s";
    ALLOW document:environment-shares:read;
    ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read, state:user-app-states:write, state:user-app-states:delete, state-management:app-states:delete, state-management:user-app-states:delete, state-management:user-app-states:delete-all, app-settings:objects:read, app-settings:objects:write;
    ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write, document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete, document:trash.documents:read, document:trash.documents:restore, document:trash.documents:delete;
Antonio Sousa
Reply

Go to solution
Peter_Youssef
Champion
In response to AntonioSousa

‎06 Dec 2024 02:05 PM

Thanks @AntonioSousa for detailed description.

0 Kudos
Reply

Go to solution
josef_solnicky
Helper
In response to AntonioSousa

‎10 Dec 2024 07:44 AM

Thank you Antonio !

Trying to implement it in first case - in fact just the log part now 
    ALLOW storage:buckets:read WHERE storage:bucket-name = "special_bucket";
Plus removing the "Read Logs" and "Environment role - View logs" policies.

BR, Josef

0 Kudos
Reply
Ask a question

Featured Posts