NOTE: This repo contains only the documentation for the private BoltsOps Pro repo code. Original file: https://github.com/boltopspro/s3-secure/blob/master/README.md The docs are publish so they are available for interested customers. For access to the source code, you must be a paying BoltOps Pro subscriber. If are interested, you can contact us at contact@boltops.com or https://www.boltops.com
This blueprint auto-remediates and hardens newly created s3 buckets. When new buckets are created, a Lambda function is run that applies security controls. This ensures all buckets are compliant. This CloudFormation template can be used as-is or used as an example to tailor for your needs.
- Enables Encryption on S3 Buckets
- Enables Bucket Policy that enforces SSL Transport
The blueprint also supports:
- Optionally VpcConfig. Variables can be used to set different values for multiple environments.
- Supports Lambda X-Ray tracing
- Can customize EventPattern.
- Add blueprint to Gemfile
- Configure: configs/s3-secure values
- Deploy blueprint
First you want to configure the configs/s3-secure config files. You can use lono seed to configure starter values quickly.
LONO_ENV=development lono seed s3-secure
For additional environments:
LONO_ENV=production lono seed s3-secure
The generated files in config/s3-secure folder look something like this:
configs/s3-secure/
└── variables
├── development.rb
└── production.rb
Use the lono cfn deploy command to deploy. Example:
LONO_ENV=development lono cfn deploy s3-secure --sure
LONO_ENV=production lono cfn deploy s3-secure --sure
If you are using One AWS Account, use these commands instead: One Account.
The default behavior listens for the S3 Create Bucket event. You can adjust the default @event_pattern if needed:
configs/s3-secure/variables/development.rb:
@event_pattern = {
source: ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
detail: {
eventName: ["CreateBucket"],
eventSource: ["s3.amazonaws.com"],
}
}Here are the EventPattern docs.
To configure the Lambda function with VpcConfig set @subnet_ids and either @vpc_id or @security_group_ids.
- When the
@vpc_idis set, the template creates a managed security group for you and the Lambda function is configured to use that security group. - When
@security_group_idsis set, the Lambda function will use those existing security groups. - The subnet must be a private subnet with configured with a NAT.
Here's an example of the managed security group.
configs/lambda/variables/development.rb:
@subnet_ids = ["subnet-111"]
@vpc_id = "vpc-111"For Lambda VPC to work, the subnet must be a private subnet configured with a NAT.
Note, Lambda functions configured with VPCs may take much longer to deploy, typically 30-45 minutes. This is because Lambda creates and attaches an ENI to the Lambda function to make the VPC feature possible. If the function is deleted or updated, requiring replacement, the ENI takes 30-45m to be removed. Because of this, it is recommended to write code for your Lambda function code without the VpcConfig first. Get it working and then add VpcConfig at the end.
Lambda X-Ray tracing is set to Active by default. You can disable this by setting @tracing_config_mode = false. Example:
configs/lambda/variables/development.rb:
@tracing_config_mode = falseYou can also change the mode with the same @tracing_config_mode variable:
@tracing_config_mode = "Active" # or "PassThrough"