CloudFormation custom resource for blocking public S3 buckets for an entire account
The custom resource in this repository enables you to use the newly added S3 feature for blocking the creation of public S3 buckets in an AWS account. Please read my blog post for more information: blocking account-wide creation of public S3 buckets through a CloudFormation custom resource.
Note that this custom resource enables all features for blocking the creation of public S3 buckets. See the original blog post linked above for more information on the different features now available.
The Lambda function is now deployed with minimal permissions.
At the time of writing, I have not yet been able to find the specific IAM permissions needed to execute theput_public_access_blockand thedelete_public_access_blockAPI calls. I have of course tried the obvious (s3:DeletePublicAccessBlockands3:PutPublicAccessBlock), but these do not work. As it works withs3:*, I have decided to use this for now. As this is definitely not following the security least-privilege principle, I would very much like to replace this with the proper permissions. If you happen to know what permissions to place here, please leave a comment in my blog or send me a message on Twitter.
Requirements
- AWS CLI with Administrator permission
- Python 3 installed
- Pipenv installed
pip install pipenv
Usage
First, change the first line in the Makefile to specify your S3 bucket to which to upload the SAM artifacts. Then, run the following command to deploy the stack:
make deployThis first will initialize your environment using the following steps:
- Setup a virtual environment using pipenv
- Download the dependencies into the
build/directory - Copy the source code into the
build/directory
You can now start using this custom resource. An example on how to use it is in the stack.yaml file. You can deploy this stack using the following command:
make deploy-stack