Last active
December 4, 2018 18:06
-
-
Save jtroberts83/ec168c59ebcf5b91ed25668094ce3670 to your computer and use it in GitHub Desktop.
AWS S3 Bucket Policy To Block All Public Object ACLs From Being Set
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
policies: | |
- name: s3-deny-public-object-acl-poll | |
resource: s3 | |
description: | | |
Appends a bucket policy statement to all existing buckets to deny anyone from setting s3 objects | |
in the bucket to public-read, public-read-write, or any authenticated AWS user. | |
actions: | |
- type: set-statements | |
statements: | |
- Sid: "DenyS3PublicObjectACL" | |
Effect: "Deny" | |
Action: "s3:PutObjectAcl" | |
Principal: "*" | |
Resource: | |
- "arn:aws:s3:::{bucket_name}/*" | |
- "arn:aws:s3:::{bucket_name}" | |
Condition: | |
StringEqualsIgnoreCaseIfExists: | |
's3:x-amz-acl': | |
- "public-read" | |
- "public-read-write" | |
- "authenticated-read" | |
- name: s3-deny-public-object-acl-realtime | |
resource: s3 | |
mode: | |
type: cloudtrail | |
events: | |
- CreateBucket | |
- source: 's3.amazonaws.com' | |
event: PutBucketPolicy | |
ids: "requestParameters.bucketName" | |
role: arn:aws:iam::{account_id}:role/Cloud_Custodian_Role | |
timeout: 200 | |
description: | | |
Triggers on New Buckets and Bucket Policy Changes. Appends a bucket policy statement | |
to deny anyone from setting s3 objects in the bucket to public-read, public-read-write, or any authenticated AWS user. | |
Works with both console and API calls | |
actions: | |
- type: set-statements | |
statements: | |
- Sid: "DenyS3PublicObjectACL" | |
Effect: "Deny" | |
Action: "s3:PutObjectAcl" | |
Principal: "*" | |
Resource: | |
- "arn:aws:s3:::{bucket_name}/*" | |
- "arn:aws:s3:::{bucket_name}" | |
Condition: | |
StringEqualsIgnoreCaseIfExists: | |
's3:x-amz-acl': | |
- "public-read" | |
- "public-read-write" | |
- "authenticated-read" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment