This page lists security findings that the amazee.io IT Security team have received in past penetration tests and vulnerability assessments against the amazee.io platform, which we consider to be false-positives.
No egress restrictions to the internet from Lagoon environment namespaces.
Lagoon environments are used to run arbitrary code from Lagoon users, who expect to be able to access the internet to e.g. download software packages.
amazee.io cannot restrict this access as it is an integral part of the Lagoon platform offering.
baas-* S3 buckets have the following features disabled:
Encryption at rest
MFA Delete
Versioning
Public Access
These buckets are used by the amazee.io platform backup service, k8up.
k8up encrypts the backup data client-side before uploading it to S3, as described in the S3 security best practices.
Since January 2023 server-side encryption is also enabled by default on new objects.
k8up automatically prunes the backup repository on a configurable schedule.
It needs to be able to delete encrypted blobs from the bucket during this pruning process, so MFA Delete cannot be enabled.
k8up automatically prunes the backup repository to reduce usage of the S3 storage.
Versioning would mean that the pruned data would still be counted towards the S3 storage use.
Therefore Versioning cannot be enabled.
k8up has no ability to automatically configure the Block Public Access configuration of the buckets, instead relying on the default bucket settings from AWS.
Since April 2023 Block Public Access is the default for new buckets, which fixes this issue.