Open simonw opened 6 months ago
Here's my prototype:
@cli.command()
@click.argument("bucket")
@common_boto3_options
def make_bucket_public(bucket, **boto_options):
"""
Make a bucket public. All files will be visible to anyone who knows the URL.
s3-credentials make-bucket-public my-bucket
"""
s3 = make_client("s3", **boto_options)
try:
print("Putting public access block")
response1 = s3.put_public_access_block(
Bucket=bucket,
PublicAccessBlockConfiguration={
"BlockPublicAcls": False,
"IgnorePublicAcls": False,
"BlockPublicPolicy": False,
"RestrictPublicBuckets": False,
},
)
print("Putting bucket policy")
response2 = s3.put_bucket_policy(
Bucket=bucket,
Policy=json.dumps(policies.bucket_policy_allow_all_get(bucket)),
)
except botocore.exceptions.ClientError as ex:
click.echo(ex.__dict__, err=True)
raise click.ClickException(ex)
click.echo(json.dumps(response1, indent=4, default=str))
click.echo(json.dumps(response2, indent=4, default=str))
I think it's possible the s3-credentials create name-of-bucket --create-bucket --public
command doesn't work correctly because it doesn't do the s3.put_public_access_block
bit.
I asked ChatGPT what all of those boolean flags meant and it said:
The
PublicAccessBlockConfiguration
settings are used to manage public access to your S3 bucket. Each boolean option in this configuration controls a specific aspect of public access:
BlockPublicAcls:
- When set to
True
, this setting prevents the application of any new public Access Control Lists (ACLs) to the bucket or its objects. It doesn't change the existing ACLs but blocks any attempt to put a new ACL that grants public access.- When set to
False
, it allows the application of new public ACLs to the bucket and its objects.IgnorePublicAcls:
- When set to
True
, this setting ignores any public ACLs on the bucket and its objects, effectively treating them as private. Even if an object has a public ACL, it won't be publicly accessible.- When set to
False
, it respects the public ACLs on the bucket and its objects, allowing public access if a public ACL is set.BlockPublicPolicy:
- When set to
True
, this setting prevents the application of any new public bucket policies to the bucket. It blocks attempts to put a new bucket policy that grants public access.- When set to
False
, it allows the application of new public bucket policies to the bucket.RestrictPublicBuckets:
- When set to
True
, this setting restricts access to the bucket to only AWS services and authorized users within the bucket owner's account, even if the bucket has a public policy. It effectively blocks public access granted by bucket policies.- When set to
False
, it allows public access granted by bucket policies.By configuring these settings, you can control the level of public access to your S3 bucket and its objects, enhancing the security of your data. For example, setting all options to
True
provides the strictest level of access control, ensuring that the bucket and its objects are not publicly accessible under any circumstances.
So I think they should all be False
if a bucket is going to serve public files.
Related:
Related to:
86