CloudFormation custom resource for blocking public S3 buckets for an entire account
The custom resource in this repository enables you to use the newly added S3 feature for blocking the creation of public S3 buckets in an AWS account. Please read my blog post for more information: blocking account-wide creation of public S3 buckets through a CloudFormation custom resource.
Note that this custom resource enables all features for blocking the creation of public S3 buckets. See the original blog post linked above for more information on the different features now available.
The Lambda function is now deployed with minimal permissions.
At the time of writing, I have not yet been able to find the specific IAM permissions needed to execute the
delete_public_access_blockAPI calls. I have of course tried the obvious (
s3:PutPublicAccessBlock), but these do not work. As it works with
s3:*, I have decided to use this for now. As this is definitely not following the security least-privilege principle, I would very much like to replace this with the proper permissions. If you happen to know what permissions to place here, please leave a comment in my blog or send me a message on Twitter.
First, change the first line in the Makefile to specify your S3 bucket to which to upload the SAM artifacts. Then, run the following command to deploy the stack:
This first will initialize your environment using the following steps:
- Setup a virtual environment using pipenv
- Download the dependencies into the
- Copy the source code into the
You can now start using this custom resource. An example on how to use it is in the stack.yaml file. You can deploy this stack using the following command: