Skip to content

Latest commit

 

History

History

S3_PublicAccessControlsRestricted

README.md

AwsCommunity::S3::PublicAccessControlsRestricted

Validates any resource of type AWS::S3::Bucket has the public access controls restricted.

Configuration

# Create a basic type configuration json
cat <<EOF > typeConfiguration.json
{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {}
    }
  }
}
EOF

# enable the hook
aws cloudformation set-type-configuration \
  --configuration file://typeConfiguration.json \
  --type HOOK \
  --type-name AwsCommunity::S3::PublicAccessControlsRestricted

Example templates

The Hook will find this template to be non-compliant.

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  S3BucketWithNoProperties:
    Type: 'AWS::S3::Bucket'
  S3BucketWithNoProperties:
    Type: 'AWS::S3::Bucket'
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicAcls: True
        BlockPublicPolicy: False
        IgnorePublicAcls: True
        RestrictPublicBuckets: True

This template will be found as compliant and deploy successfully.

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  S3BucketCompliant:
    Type: 'AWS::S3::Bucket'
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicAcls: True
        BlockPublicPolicy: True
        IgnorePublicAcls: True
        RestrictPublicBuckets: True