For some time AWS has provided a setting to prevent public access to buckets even in the event of accidental mis-configuration. Amazon recommend that this is enabled unless users have a compelling reason not to and it is now the default for new buckets created in the console. Furthermore, many Cloud Security analytics tools now flag buckets that do not block public access as a potential risk.
As of version 0.51.0 Zappa does not block public access on the buckets it creates; it should do so.
Expected Behavior
New buckets created by Zappa should have all of the Block Public Access flags set.
Actual Behavior
New buckets created by Zappa do not have any Block Pubic Access flags set.
Possible Fix
It appears that the S3 buckets are lazily auto-created in the core.upload_to_s3() function. Upon creation of a new bucket Zappa should call the S3 client put_public_access_block() function and set the BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy and RestrictPublicBuckets flags. Users can always remove these flags later if they are not needed but it seem unlikely to ever be necessary for the auto-created buckets.
Note that Zappa should not attempt to change these flags on buckets that are not auto-created.
Steps to Reproduce
Create a Zappa project that uses the default S3 bucket.
Deploy the project.
Go the AWS Console, visit the S3 tool, check that the newly created S3 bucket allows public access.
Your Environment
Zappa version used: 0.51.1
Operating System and Python version: macOS, Python 3.8
Context
For some time AWS has provided a setting to prevent public access to buckets even in the event of accidental mis-configuration. Amazon recommend that this is enabled unless users have a compelling reason not to and it is now the default for new buckets created in the console. Furthermore, many Cloud Security analytics tools now flag buckets that do not block public access as a potential risk.
As of version 0.51.0 Zappa does not block public access on the buckets it creates; it should do so.
Expected Behavior
New buckets created by Zappa should have all of the Block Public Access flags set.
Actual Behavior
New buckets created by Zappa do not have any Block Pubic Access flags set.
Possible Fix
It appears that the S3 buckets are lazily auto-created in the
core.upload_to_s3()
function. Upon creation of a new bucket Zappa should call the S3 clientput_public_access_block()
function and set theBlockPublicAcls
,IgnorePublicAcls
,BlockPublicPolicy
andRestrictPublicBuckets
flags. Users can always remove these flags later if they are not needed but it seem unlikely to ever be necessary for the auto-created buckets.Note that Zappa should not attempt to change these flags on buckets that are not auto-created.
Steps to Reproduce
Your Environment
pip freeze
: N/Azappa_settings.json
: N/A