Created
November 7, 2019 03:05
-
-
Save makash/a8433db0245f36badb48ade2d3228f53 to your computer and use it in GitHub Desktop.
Deploying the Cloud Custodian policy as an AWS Lambda which is scheduled to run every 1 hour to check for and remove public buckets if they match certain tags
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| policies: | |
| - name: s3-remove-public-access | |
| mode: | |
| type: periodic | |
| schedule: rate(1 hour) | |
| role: arn:aws:iam::1234567890:role/FAKE-Custodian-tag-compliance-role-FAKE | |
| description: | | |
| Finds global access s3 buckets in your account and fix them if they match certain tag createdby with value automation and not hosting a static site | |
| resource: s3 | |
| region: us-east-1 | |
| filters: | |
| - type: global-grants | |
| - type: value | |
| key: "tag:createdby" | |
| value: "automation" | |
| - not: | |
| - type: value | |
| key: "tag:type" | |
| value: "static-site" | |
| actions: | |
| - type: delete-global-grants | |
| grantees: | |
| - "http://acs.amazonaws.com/groups/global/AllUsers" | |
| - "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment