Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions). Includes a CloudFormation custom resource to enable this setting.
S3 Block Public Access provides four settings:
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
S3BlockPublicAccess:
Type: "Custom::S3BlockPublicAccess"
Properties:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
ServiceToken:
Fn::GetAtt:
- "S3BlockPublicAccessLambda"
- "Arn"
S3BlockPublicAccessLambdaRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: "s3inline"
PolicyDocument:
Statement:
- Effect: "Allow"
Action:
- "s3:PutAccountPublicAccessBlock"
- "s3:GetAccountPublicAccessBlock"
Resource: "*"
S3BlockPublicAccessLambda:
Type: "AWS::Lambda::Function"
Properties:
Code:
S3Bucket:
Fn::Sub:
- "asecure-cloud-cf-aux-${Region}"
- Region:
Ref: "AWS::Region"
S3Key: "s3-block-public-access-lambda.zip"
Handler: "index.handler"
MemorySize: 128
Role:
Fn::GetAtt:
- "S3BlockPublicAccessLambdaRole"
- "Arn"
Runtime: "nodejs14.x"
Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}