Skip to content

guardian/bucket-blocker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
.github/workflows
.github/workflows
 
 
script
script
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
.releaserc.json
.releaserc.json
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

bucket-blocker

What is this thing?

Bucket blocker is a tool that searces for violations of FSBP S3.8, which states that all buckets should have individual configurations blocking public access.

Once it's found the buckets that are not compliant, it skips over any that are in CloudFormation stacks (to avoid introducing stack drift), and then blocks public access to the remaining buckets.

flowchart TB
    stack[Is it part of a cloudformation stack]
    excl[Is it in a list of excluded \n buckets provided by the user?]
    block[Block public access to the bucket]
    ruleBreak[Does the bucket break S3.8?]
    break[Do nothing.]
    noAccess[No. Access already \n blocked]

    ruleBreak --> Yes --> stack --> No --> excl --> Nope --> block
    ruleBreak --> noAccess --> break
    stack --> Yeah --> break
    excl --> Yep --> break
Loading

There are a few extra features, controlled by flags, enumerated below.

Command line options:

Bucket blocker takes up to 3 flags:

  • profile: Required. The profile to use when connecting to AWS.

  • region: Required. The region where the bucket is located.

  • execute: Optional. Takes no value. If present, it will ask the user to confirm, then block the buckets. If not, it will only print the buckets that would have been blocked.

  • exclusions: Optional. Comma-delimited list of buckets to exclude from blocking.

  • max: Optional. The maximum number of buckets to block. Between 1 and 100. Defaults to 100, which is the maximum number of buckets that can exist in an AWS account.

You will also need credentials for the relevant AWS account from Janus.

Running the binary

This application is downloadable from brew. You'll need the guardian's brew tap installed before you can install the application.

To do this all at once, run the following command:

brew tap guardian/homebrew-devtools && brew install bucket-blocker

You can also download the binary directly from the Releases page on GitHub, or build it from source.

Local development

When committing your changes, please use the conventional commit format. This will allow us to automatically generate a changelog and correctly version the application when it is released.

While developing locally, you can test the application using the following command from the root of the repository, without needing to build the binary:

go run main.go -profile <PROFILE> -region <REGION> [OPTIONAL_FLAGS]

Releasing to brew

Creating a new release of the application on brew, is currently a manual process. You will need to update the version, urls, and SHAs in this file in the homebrew-devtools repo.

About

No description or website provided.

Topics

production

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases 5

v2.0.1 Latest
Jul 9, 2024
+ 4 releases

Packages

 
 
 

Contributors 3

  •  
  •  
  •  

Languages