Last active
December 4, 2019 02:02
-
-
Save aaronfranco/eb0517974c584f175d93e57ca9b02e9c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var AWS = require('aws-sdk'); | |
| // Set the region | |
| /* | |
| * CHANGE THIS TO YOUR REGION | |
| */ | |
| AWS.config.update({region: 'us-east-2'}); | |
| // Create S3 service object | |
| let s3 = new AWS.S3(); | |
| /* Example payload coming from Cloudwatch Event --- | |
| { | |
| "version": "0", | |
| "id": "4c16f103-a9e3-254d-2e1e-56f8949c1e03", | |
| "detail-type": "Config Rules Compliance Change", | |
| "source": "aws.config", | |
| "account": "076234686720", | |
| "time": "2019-06-21T20:19:39Z", | |
| "region": "us-west-2", | |
| "resources": [ | |
| ], | |
| "detail": { | |
| "resourceId": "aarons-tet-bucket-ssl-config", | |
| "awsRegion": "us-west-2", | |
| "awsAccountId": "076234686720", | |
| "configRuleName": "s3-bucket-ssl-requests-only", | |
| "recordVersion": "1.0", | |
| "configRuleARN": "arn:aws:config:us-west-2:076234686720:config-rule/config-rule-jqkzjj", | |
| "messageType": "ComplianceChangeNotification", | |
| "newEvaluationResult": { | |
| "evaluationResultIdentifier": { | |
| "evaluationResultQualifier": { | |
| "configRuleName": "s3-bucket-ssl-requests-only", | |
| "resourceType": "AWS::S3::Bucket", | |
| "resourceId": "aarons-tet-bucket-ssl-config" | |
| }, | |
| "orderingTimestamp": "2019-06-21T20:19:21.908Z" | |
| }, | |
| "complianceType": "NON_COMPLIANT", | |
| "resultRecordedTime": "2019-06-21T20:19:38.850Z", | |
| "configRuleInvokedTime": "2019-06-21T20:19:38.498Z" | |
| }, | |
| "notificationCreationTime": "2019-06-21T20:19:39.919Z", | |
| "resourceType": "AWS::S3::Bucket" | |
| } | |
| } | |
| */ | |
| exports.handler = async (event) => { | |
| console.log(JSON.stringify(event)) | |
| let changeData = event.detail; | |
| if(changeData.newEvaluationResult.complianceType === 'NON_COMPLIANT'){ | |
| const bucketName = changeData.newEvaluationResult.evaluationResultIdentifier.evaluationResultQualifier.resourceId | |
| const bucketARN = "arn:aws:s3:::" + bucketName; | |
| var readOnlyAnonUserPolicy = { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": [ | |
| changeData.awsAccountId | |
| ] | |
| }, | |
| "Action": "s3:Get*", | |
| "Resource": bucketARN + "/*" | |
| }, | |
| { | |
| "Effect": "Deny", | |
| "Principal": "*", | |
| "Action": "*", | |
| "Resource": bucketARN + "/*", | |
| "Condition": { | |
| "Bool": { | |
| "aws:SecureTransport": "false" | |
| } | |
| } | |
| } | |
| ] | |
| }; | |
| console.log(JSON.stringify(readOnlyAnonUserPolicy)) | |
| // convert policy JSON into string and assign into params | |
| var bucketPolicyParams = {Bucket: changeData.resourceId, Policy: JSON.stringify(readOnlyAnonUserPolicy)}; | |
| console.log("Calling S3 putBucketPolicy Now") | |
| // set the new policy on the selected bucket | |
| let data = await s3.putBucketPolicy(bucketPolicyParams).promise(); | |
| console.log(data) | |
| } | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment