jtroberts83/s3-public-object-acl-deny.yaml

## s3-public-object-acl-deny.yaml
policies:

- name: s3-deny-public-object-acl-poll
  resource: s3
  description: |
    Appends a bucket policy statement to all existing buckets to deny anyone from setting s3 objects
    in the bucket to public-read, public-read-write, or any authenticated AWS user.
  actions:
    - type: set-statements
      statements:
         - Sid: "DenyS3PublicObjectACL"
           Effect: "Deny"
           Action: "s3:PutObjectAcl"
           Principal: "*"
           Resource:
              - "arn:aws:s3:::{bucket_name}/*"
              - "arn:aws:s3:::{bucket_name}"
           Condition:
             StringEqualsIgnoreCaseIfExists:
                's3:x-amz-acl':
                    - "public-read"
                    - "public-read-write"
                    - "authenticated-read"


- name: s3-deny-public-object-acl-realtime
  resource: s3
  mode:
    type: cloudtrail
    events:
      - CreateBucket
      - source: 's3.amazonaws.com'
        event: PutBucketPolicy
        ids: "requestParameters.bucketName"
    role: arn:aws:iam::{account_id}:role/Cloud_Custodian_Role
    timeout: 200
  description: |
    Triggers on New Buckets and Bucket Policy Changes. Appends a bucket policy statement
    to deny anyone from setting s3 objects in the bucket to public-read, public-read-write, or any authenticated AWS user.
    Works with both console and API calls
  actions:
    - type: set-statements
      statements:
        - Sid: "DenyS3PublicObjectACL"
          Effect: "Deny"
          Action: "s3:PutObjectAcl"
          Principal: "*"
          Resource:
             - "arn:aws:s3:::{bucket_name}/*"
             - "arn:aws:s3:::{bucket_name}"
          Condition:
            StringEqualsIgnoreCaseIfExists:
               's3:x-amz-acl':
                   - "public-read"
                   - "public-read-write"
                   - "authenticated-read"
	policies:

	- name: s3-deny-public-object-acl-poll
	resource: s3
	description: \|
	Appends a bucket policy statement to all existing buckets to deny anyone from setting s3 objects
	in the bucket to public-read, public-read-write, or any authenticated AWS user.
	actions:
	- type: set-statements
	statements:
	- Sid: "DenyS3PublicObjectACL"
	Effect: "Deny"
	Action: "s3:PutObjectAcl"
	Principal: "*"
	Resource:
	- "arn:aws:s3:::{bucket_name}/*"
	- "arn:aws:s3:::{bucket_name}"
	Condition:
	StringEqualsIgnoreCaseIfExists:
	's3:x-amz-acl':
	- "public-read"
	- "public-read-write"
	- "authenticated-read"


	- name: s3-deny-public-object-acl-realtime
	resource: s3
	mode:
	type: cloudtrail
	events:
	- CreateBucket
	- source: 's3.amazonaws.com'
	event: PutBucketPolicy
	ids: "requestParameters.bucketName"
	role: arn:aws:iam::{account_id}:role/Cloud_Custodian_Role
	timeout: 200
	description: \|
	Triggers on New Buckets and Bucket Policy Changes. Appends a bucket policy statement
	to deny anyone from setting s3 objects in the bucket to public-read, public-read-write, or any authenticated AWS user.
	Works with both console and API calls
	actions:
	- type: set-statements
	statements:
	- Sid: "DenyS3PublicObjectACL"
	Effect: "Deny"
	Action: "s3:PutObjectAcl"
	Principal: "*"
	Resource:
	- "arn:aws:s3:::{bucket_name}/*"
	- "arn:aws:s3:::{bucket_name}"
	Condition:
	StringEqualsIgnoreCaseIfExists:
	's3:x-amz-acl':
	- "public-read"
	- "public-read-write"
	- "authenticated-read"