Warrenn/shares3.yaml

## shares3.yaml
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName:
Fn::Join:
- "-"
- - Ref: NameOfS3Bucket
- Ref: AWS::AccountId
- Ref: AWS::Region
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
S3BucketPolicy:
DependsOn:
- S3Bucket
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Principal: ""
Action: "s3:GetObject"
Resource:
- !Sub arn:aws:s3:::${S3Bucket}
- !Sub arn:aws:s3:::${S3Bucket}/
Effect: Allow
Condition:
StringEquals:
"aws:PrincipalOrgID": "o-y3qvww2lcj"
- Action: 's3:PutObject'
Condition:
'Null':
's3:x-amz-server-side-encryption': true
Effect: Deny
Principal: ''
Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
Sid: DenyPublishingUnencryptedResources
- Action: 's3:PutObject'
Condition:
'ForAllValues:StringNotEquals':
's3:x-amz-server-side-encryption':
- AES256
- 'aws:kms'
Effect: Deny
Principal: ''
Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
Sid: DenyIncorrectEncryptionHeader
- Action:
- 's3:GetObject'
- 's3:PutObject'
Condition:
Bool:
'aws:SecureTransport': false
Effect: Deny
Principal: ''
Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
Sid: DenyUnencryptedConnections
- Action:
- 's3:PutBucketAcl'
- 's3:PutObject'
- 's3:PutObjectAcl'
Condition:
StringEquals:
's3:x-amz-acl':
- authenticated-read
- public-read
- public-read-write
Effect: Deny
Principal: ''
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}'
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
Sid: DenyPublicReadAcl
- Action:
- 's3:PutBucketAcl'
- 's3:PutObject'
- 's3:PutObjectAcl'
Condition:
StringLike:
's3:x-amz-grant-read':
- 'http://acs.amazonaws.com/groups/global/AllUsers'
- 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
Effect: Deny
Principal: ''
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}'
- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
Sid: DenyGrantingPublicRead
	S3Bucket:
	Type: 'AWS::S3::Bucket'
	Properties:
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256
	BucketName:
	Fn::Join:
	- "-"
	- - Ref: NameOfS3Bucket
	- Ref: AWS::AccountId
	- Ref: AWS::Region
	PublicAccessBlockConfiguration:
	BlockPublicAcls: true
	BlockPublicPolicy: true
	IgnorePublicAcls: true
	RestrictPublicBuckets: true
	S3BucketPolicy:
	DependsOn:
	- S3Bucket
	Type: 'AWS::S3::BucketPolicy'
	Properties:
	Bucket: !Ref S3Bucket
	PolicyDocument:
	Statement:
	- Principal: ""
	Action: "s3:GetObject"
	Resource:
	- !Sub arn:aws:s3:::${S3Bucket}
	- !Sub arn:aws:s3:::${S3Bucket}/
	Effect: Allow
	Condition:
	StringEquals:
	"aws:PrincipalOrgID": "o-y3qvww2lcj"
	- Action: 's3:PutObject'
	Condition:
	'Null':
	's3:x-amz-server-side-encryption': true
	Effect: Deny
	Principal: ''
	Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
	Sid: DenyPublishingUnencryptedResources
	- Action: 's3:PutObject'
	Condition:
	'ForAllValues:StringNotEquals':
	's3:x-amz-server-side-encryption':
	- AES256
	- 'aws:kms'
	Effect: Deny
	Principal: ''
	Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
	Sid: DenyIncorrectEncryptionHeader
	- Action:
	- 's3:GetObject'
	- 's3:PutObject'
	Condition:
	Bool:
	'aws:SecureTransport': false
	Effect: Deny
	Principal: ''
	Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
	Sid: DenyUnencryptedConnections
	- Action:
	- 's3:PutBucketAcl'
	- 's3:PutObject'
	- 's3:PutObjectAcl'
	Condition:
	StringEquals:
	's3:x-amz-acl':
	- authenticated-read
	- public-read
	- public-read-write
	Effect: Deny
	Principal: ''
	Resource:
	- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}'
	- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
	Sid: DenyPublicReadAcl
	- Action:
	- 's3:PutBucketAcl'
	- 's3:PutObject'
	- 's3:PutObjectAcl'
	Condition:
	StringLike:
	's3:x-amz-grant-read':
	- 'http://acs.amazonaws.com/groups/global/AllUsers'
	- 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
	Effect: Deny
	Principal: ''
	Resource:
	- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}'
	- !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/'
	Sid: DenyGrantingPublicRead