feature request: block public access to S3 at the account level

[craighurley]

Hello,

In a similar way that password policies can be applied to an account or set of accounts, it would be nice if org-formation was able to set "block public access" to S3 at the account level.

• https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#console-block-public-access-options

[OlafConijn]

great! thanks.

We are at the moment investigating the use of resource providers and this might mean that towards the future password policy and also this type of setup would be implemented from within an a cloudformation resource and an OrganizationBinding.

e.g.

MyS3Policy:
  Type: OC::ORG::S3Policy
  OrganizationBinding: 
    Accounts: '*'
  Properties:
    BlockPublicAccess: true 

As an added benefit you would be able to use these resource providers independently as this is a cloudformation feature. would you be interested in testing these? would be very happy to adjust priorities to accomodate your usecases.

[craighurley]

Yes, happy to test for you.

[OlafConijn]

hi, looked into this and found out that the nodejs sdk (neither cli) supports changing the account level bucket public access block. i wrote a feature request for the node-js sdk team, in the hope they make this land in the right place. aws/aws-sdk-js#3400

If there is something i overlooked, please do let me know. somewhat tempted to reverse engineer how the console works but i believe that the authentication scheme the console uses is different. so i guess we'll have to wait this one out

I did have some good progress on https://github.com/OlafConijn/AwsOrganizationFormation/issues/84.

thanks!

[craighurley]

neither cli

The aws cli has options for it: https://docs.aws.amazon.com/cli/latest/reference/s3control/put-public-access-block.html

... or did you mean something else?

[OlafConijn]

yep, got it, thanks. Now also found it on the nodejs sdk.

[OlafConijn]

hi, we are implementing a library of resource providers and this will be one.
A resource provider can be deployed to your AWS account/region and allows you to extend the CloudFormation types.

Using org-formation you can apply these resources to multiple accounts/regions using an organization binding.
The resource providers still need some polishing and a method to easily deploy these types.

The repository can be found at: https://github.com/org-formation/aws-resource-providers.

[eduardomourar]

here is the cloudformation coverage related issue: aws-cloudformation/cloudformation-coverage-roadmap#168

[OlafConijn]

hi @craighurley, that took a fair while :).

I just pushed an example on how to use Community::S3::PublicAccessBlock and Community::Organizations::EbsEncryptionDefaults from within org-formation. This will work from version 0.9.10 onwards.

https://github.com/org-formation/org-formation-cli/tree/master/examples/secure-defaults

looking forward to your feedback!