Skip to content

Instantly share code, notes, and snippets.

@vallamost

vallamost/block_all_public_acls

Created August 28, 2017 00:38
Show Gist options
  • Save vallamost/3eb20175ff4ea97082a91367d564f8be to your computer and use it in GitHub Desktop.
Save vallamost/3eb20175ff4ea97082a91367d564f8be to your computer and use it in GitHub Desktop.
Download ZIP
Block public ACLs on objects or buckets
Raw
block_all_public_acls
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutBucketAcl",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": [
"public-read",
"public-read-write",
"authenticated-read"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutBucketAcl",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-grant-read": [
"uri=http://acs.amazonaws.com/groups/global/AllUsers",
"uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutBucketAcl",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-grant-write": [
"uri=http://acs.amazonaws.com/groups/global/AllUsers",
"uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutBucketAcl",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
],
"Condition": {
"StringLike": {
"s3:x-amz-grant-read-acp": [
"uri=*"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutBucketAcl",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
],
"Condition": {
"StringLike": {
"s3:x-amz-grant-write-acp": [
"uri=*"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutBucketAcl",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
],
"Condition": {
"StringLike": {
"s3:x-amz-grant-full-control": [
"uri=*"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:PutObjectACL",
"s3:PutObjectVersionAcl"],
"Resource": "arn:aws:s3:::bucket_name/*",
"Condition": {
"Null": {
"s3:x-amz-grant-write-acp": "true",
"s3:x-amz-acl": "true",
"s3:x-amz-grant-read": "true",
"s3:x-amz-grant-write": "true",
"s3:x-amz-grant-read-acp": "true",
"s3:x-amz-grant-full-control": "true"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment