S3 Security - S3 Block Public Access (Account-Level)

Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions). Includes a CloudFormation custom resource to enable this setting.

S3 Block Public Access provides four settings:

Block Public ACLs: Prevent any new operations to make buckets or objects public through Bucket or Object ACLs. (existing policies and ACLs for buckets and objects are not modified.)
Ignore Public ACLs: Ignore all public ACLs on a bucket and any objects that it contains
Block Public Policy: Reject calls to PUT Bucket policy if the specified bucket policy allows public access. (Enabling this setting doesn't affect existing bucket policies)
Restrict Public Buckets: Restrict access to a bucket with a public policy to only AWS services and authorized users within the bucket owner's account.

Lambda Code (Nodejs)

CloudFormation |AWS CLI

Items

Size

1.5 KB

YAML/JSON

AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  S3BlockPublicAccess:
    Type: 'Custom::S3BlockPublicAccess'
    Properties:
      BlockPublicAcls: true
      BlockPublicPolicy: true
      IgnorePublicAcls: true
      RestrictPublicBuckets: true
      ServiceToken:
        'Fn::GetAtt':
          - S3BlockPublicAccessLambda
          - Arn
  S3BlockPublicAccessLambdaRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: s3inline
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 's3:PutAccountPublicAccessBlock'
                  - 's3:GetAccountPublicAccessBlock'
                Resource: '*'
  S3BlockPublicAccessLambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        S3Bucket:
          'Fn::Sub':
            - 'asecure-cloud-cf-aux-${Region}'
            - Region:
                Ref: 'AWS::Region'
        S3Key: s3-block-public-access-lambda.zip
      Handler: index.handler
      MemorySize: 128
      Role:
        'Fn::GetAtt':
          - S3BlockPublicAccessLambdaRole
          - Arn
      Runtime: nodejs10.x
      Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}

* Required field

Configuration Source: AWS Documentation

Additional Documentation:

AWS CLI Command Reference Guide: Update Account S3 Block Public Access Settings

This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.

Configuration Item

A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups.

Configuration Package

Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning

Configuration Item

Security Control

Domain

Configuration Packages

Solutions, Guides & Tools

Overview

Configuration Templates

Actions

Sources and Documentation