feature request: block public access to S3 at the account level

org-formation / aws-resource-providers

A community driven repository where you can find AWS Resource Type Providers for different purposes (including org-formation ones).

MIT License

88 stars 21 forks source link

feature request: block public access to S3 at the account level #11

Closed craighurley closed 3 years ago

craighurley commented 4 years ago

Hello,

In a similar way that password policies can be applied to an account or set of accounts, it would be nice if org-formation was able to set "block public access" to S3 at the account level.

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#console-block-public-access-options

OlafConijn commented 4 years ago

great! thanks.

We are at the moment investigating the use of resource providers and this might mean that towards the future password policy and also this type of setup would be implemented from within an a cloudformation resource and an OrganizationBinding.

e.g.

MyS3Policy:
  Type: OC::ORG::S3Policy
  OrganizationBinding: 
    Accounts: '*'
  Properties:
    BlockPublicAccess: true

As an added benefit you would be able to use these resource providers independently as this is a cloudformation feature. would you be interested in testing these? would be very happy to adjust priorities to accomodate your usecases.

craighurley commented 4 years ago

Yes, happy to test for you.

OlafConijn commented 4 years ago

hi, looked into this and found out that the nodejs sdk (neither cli) supports changing the account level bucket public access block. i wrote a feature request for the node-js sdk team, in the hope they make this land in the right place. https://github.com/aws/aws-sdk-js/issues/3400

If there is something i overlooked, please do let me know. somewhat tempted to reverse engineer how the console works but i believe that the authentication scheme the console uses is different. so i guess we'll have to wait this one out

I did have some good progress on https://github.com/OlafConijn/AwsOrganizationFormation/issues/84.

thanks!

craighurley commented 4 years ago

neither cli

The aws cli has options for it: https://docs.aws.amazon.com/cli/latest/reference/s3control/put-public-access-block.html

... or did you mean something else?

OlafConijn commented 4 years ago

yep, got it, thanks. Now also found it on the nodejs sdk.

OlafConijn commented 4 years ago

hi, we are implementing a library of resource providers and this will be one. A resource provider can be deployed to your AWS account/region and allows you to extend the CloudFormation types.

Using org-formation you can apply these resources to multiple accounts/regions using an organization binding. The resource providers still need some polishing and a method to easily deploy these types.

The repository can be found at: https://github.com/org-formation/aws-resource-providers.

eduardomourar commented 4 years ago

here is the cloudformation coverage related issue: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/168

OlafConijn commented 3 years ago

hi @craighurley, that took a fair while :).

I just pushed an example on how to use Community::S3::PublicAccessBlock and Community::Organizations::EbsEncryptionDefaults from within org-formation. This will work from version 0.9.10 onwards.

https://github.com/org-formation/org-formation-cli/tree/master/examples/secure-defaults

looking forward to your feedback!