Open leozhad opened 4 years ago
any news on this?
The private resource type Community::S3::PublicAccessBlock
can be used in the meantime.
Installation instructions:
aws cloudformation register-type \
--region us-east-1 \
--type-name "Community::S3::PublicAccessBlock" \
--schema-handler-package "s3://community-resource-provider-catalog/community-s3-publicaccessblock-0.1.0.zip" \
--type RESOURCE \
--execution-role-arn <ROLE_ARN_WITH_ENOUGH_PRIVILEGE>
Usage example:
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3AccountPublicAccessBlock:
Type: 'Community::S3::PublicAccessBlock'
Properties:
BlockPublicAcls: true
BlockPublicPolicy: false
IgnorePublicAcls: true
RestrictPublicBuckets: true
This is a frustrating gap in CloudFormation.
As AWS's infrastructure-as-code tool, CloudFormation should be able to build all desired AWS infrastructure in a brand new AWS account using code, right?
But the inability to disable this account-wide feature via officially-supported CFN resource types means that CFN cannot do that when those resources include S3 buckets with public access. :stuck_out_tongue_closed_eyes:
The error message associated with violating this account-wide public access block is also quite unhelpful:
"MyBucket": {
"Type": "AWS::S3::Bucket"
}
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "MyBucket"},
"PolicyDocument": {
"Statement":[
{
"Action":["s3:GetObject"],
"Effect":"Allow",
"Resource": { "Fn::Sub" : "${MyBucket.Arn}/*" },
"Principal": "*"
}
]
}
}
}
Attempting to create this stack results in the error API: s3:PutBucketPolicy Access Denied
. Because of this error, I spent a bunch of time trying to figure out if there was some race condition in the order of creation of the bucket and the policy, or some scenario in which the owner of an S3 bucket can't put a policy to the bucket they just created… when in fact neither of those had anything to do with the problem.
Just to add, this would be a great addition to use in StackSets applied to an Organization. All new and existing accounts could get BlockPublicAccess as a security baseline.
any updates on this? ive found some workarounds but wondering if theres something in the works to make this a lot easier
Instructions for CloudFormation Coverage New Issues Template
Quick Summary: