Previously, this tool took one bucket, and blocked public access to it. Now, it looks through all the securityhub findings to spot buckets that are currently failing AWS FSBP S3.8, excluding buckets provisioned using CDK.
Also added a dry run mode, switched on by default, to prevent accidentally blocking buckets while testing.
There is still more work left to do for this CLI, planned for follow-up PRs. This includes
Allowing a user to provide a list of buckets to exclude, which will be removed from the bucketsToBlock slice
Detecting any bucket that has been cloudformed, and skipping it to avoid detecting drift. This will make the GuCDK detection redundant, but is significantly more complicated, so we have left it out for now.
Potentially, skipping any buckets that are actually publicly accessible, as they will probably need to be triaged by teams manually to avoid undesirable side effects
What does this change?
Previously, this tool took one bucket, and blocked public access to it. Now, it looks through all the securityhub findings to spot buckets that are currently failing AWS FSBP S3.8, excluding buckets provisioned using CDK.
Also added a dry run mode, switched on by default, to prevent accidentally blocking buckets while testing.
There is still more work left to do for this CLI, planned for follow-up PRs. This includes
bucketsToBlock
sliceHow to test
Follow the new instructions in the README.md