search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.1k stars 54 forks source link

AWS::S3::PublicAccessBlock Account Wide Setting #168

Open leozhad opened 4 years ago

leozhad commented 4 years ago

Instructions for CloudFormation Coverage New Issues Template

Quick Summary:

  1. Title -> AWS::Service::Resource-Attribute-Existing Attribute
  2. Scope of request -> AWS::S3::Bucket PublicAccessBlockConfiguration supports the setting at the bucket level today, but not the account level
  3. Expected behavior -> There should be a resource for turning on Public Access Block for a whole account in CloudFormation
  4. Category tag (optional) -> Storage
  5. Any additional context (optional)
pamu78 commented 3 years ago

any news on this?

eduardomourar commented 3 years ago

The private resource type Community::S3::PublicAccessBlock can be used in the meantime.

Installation instructions:

aws cloudformation register-type \
  --region us-east-1 \
  --type-name "Community::S3::PublicAccessBlock" \
  --schema-handler-package "s3://community-resource-provider-catalog/community-s3-publicaccessblock-0.1.0.zip" \
  --type RESOURCE \
  --execution-role-arn <ROLE_ARN_WITH_ENOUGH_PRIVILEGE>

Usage example:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3AccountPublicAccessBlock:
    Type: 'Community::S3::PublicAccessBlock'
    Properties:
      BlockPublicAcls: true
      BlockPublicPolicy: false
      IgnorePublicAcls: true
      RestrictPublicBuckets: true
dlenski commented 3 years ago

This is a frustrating gap in CloudFormation.

As AWS's infrastructure-as-code tool, CloudFormation should be able to build all desired AWS infrastructure in a brand new AWS account using code, right?

But the inability to disable this account-wide feature via officially-supported CFN resource types means that CFN cannot do that when those resources include S3 buckets with public access. :stuck_out_tongue_closed_eyes:

The error message associated with violating this account-wide public access block is also quite unhelpful:

  "MyBucket": {
    "Type": "AWS::S3::Bucket"
  }
  "BucketPolicy": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
      "Bucket": {"Ref": "MyBucket"},
      "PolicyDocument": {
        "Statement":[
          {
            "Action":["s3:GetObject"],
            "Effect":"Allow",
            "Resource": { "Fn::Sub" : "${MyBucket.Arn}/*" },
            "Principal": "*"
          }
        ]
      }  
    }    
  }

Attempting to create this stack results in the error API: s3:PutBucketPolicy Access Denied. Because of this error, I spent a bunch of time trying to figure out if there was some race condition in the order of creation of the bucket and the policy, or some scenario in which the owner of an S3 bucket can't put a policy to the bucket they just created… when in fact neither of those had anything to do with the problem.

georgealton commented 2 years ago

Just to add, this would be a great addition to use in StackSets applied to an Organization. All new and existing accounts could get BlockPublicAccess as a security baseline.

alextongme commented 2 years ago

any updates on this? ive found some workarounds but wondering if theres something in the works to make this a lot easier