Update S3 write scripts to check account ownership before write
jilladams opened this issue · comments
script statements like this:
aws s3 sync $global_dist_dir s3://$global_bucket/aws-media-insights-engine/$version/
aws s3 sync $regional_dist_dir s3://${regional_bucket}-${region}/aws-media-insights-engine/$version/
To include checks like this before running s3 sync or cp:
aws s3api head-bucket --bucket $global_bucket --expected-bucket-owner $bucket_account
aws s3api head-bucket --bucket $regional_bucket --expected-bucket-owner $bucket_account
The head-bucket command will return a non-zero result (API returns a 403) if the bucket ownership doesn’t match. If you have error handling set to short-circuit the script, the above statements would stop the script before uploading.
Directly uploading to regional buckets means checking each bucket before uploading.
This is already in the dev branch:
https://github.com/aws-solutions/aws-media-services-application-mapper/blob/dev-v1.10.0/deployment/deploy.sh#L64