Overview

Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions). Includes a CloudFormation custom resource to enable this setting.

S3 Block Public Access provides four settings:

  • Block Public ACLs: Prevent any new operations to make buckets or objects public through Bucket or Object ACLs. (existing policies and ACLs for buckets and objects are not modified.)
  • Ignore Public ACLs: Ignore all public ACLs on a bucket and any objects that it contains
  • Block Public Policy: Reject calls to PUT Bucket policy if the specified bucket policy allows public access. (Enabling this setting doesn't affect existing bucket policies)
  • Restrict Public Buckets: Restrict access to a bucket with a public policy to only AWS services and authorized users within the bucket owner's account. 

Configuration Templates

Items
3
Size
1.5 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  S3BlockPublicAccess:
    Type: 'Custom::S3BlockPublicAccess'
    Properties:
      BlockPublicAcls: true
      BlockPublicPolicy: true
      IgnorePublicAcls: true
      RestrictPublicBuckets: true
      ServiceToken:
        'Fn::GetAtt':
          - S3BlockPublicAccessLambda
          - Arn
  S3BlockPublicAccessLambdaRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: s3inline
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 's3:PutAccountPublicAccessBlock'
                  - 's3:GetAccountPublicAccessBlock'
                Resource: '*'
  S3BlockPublicAccessLambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        S3Bucket:
          'Fn::Sub':
            - 'asecure-cloud-cf-aux-${Region}'
            - Region:
                Ref: 'AWS::Region'
        S3Key: s3-block-public-access-lambda.zip
      Handler: index.handler
      MemorySize: 128
      Role:
        'Fn::GetAtt':
          - S3BlockPublicAccessLambdaRole
          - Arn
      Runtime: nodejs10.x
      Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}

Actions



* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: