Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 Block Public Access #6779

Merged
merged 1 commit into from
Oct 8, 2019
Merged

S3 Block Public Access #6779

merged 1 commit into from
Oct 8, 2019

Conversation

jessedoyle
Copy link
Contributor

@jessedoyle jessedoyle commented Oct 2, 2019
edited
Loading

What did you implement

  • Add a new boolean property named blockPublicAccessto the
    deploymentBucket config object for the AWS provider.
  • The property defaults to false to retain backwords
    compatibility with existing infrastructure.
  • When true, the configuration property will enable the
    S3 Block Public Access feature. This will prevent all future
    policies or ACLs that may grant public access to the
    deployment bucket.
  • Update the serverless.yml reference docs to reflect the
    addition.

Closes #6706

How can we verify it

Add blockPublicAccess: true to the deploymentBucket configuration object, then deploy.

Ensure that the resulting CF template has the following properties in the ServerlessDeploymentBucket resource:

{
  "PublicAccessBlockConfiguration": {
     "BlockPublicAcls": true,
     "BlockPublicPolicy": true,
     "IgnorePublicAcls": true,
     "RestrictPublicBuckets": true
   }
}
  • Write and run all tests
  • Write documentation
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: Yes
Is it a breaking change?: No

@jessedoyle
S3 Block Public Access
f1c768c 
* Add a new boolean property named `blockPublicAccess`to the
  `deploymentBucket` config object for the AWS provider.
* The property defaults to `false` to retain backwords
  compatibility with existing infrastructure.
* When `true`, the configuration property will enable the
  [S3 Block Public Access][1]. This will prevent all future
  policies or ACLs that may grant public access to the
  deployment bucket.
* Update the serverless.yml reference docs to reflect the
  addition.

[1]: https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/

resolves: #6706
@pmuens pmuens self-assigned this Oct 8, 2019
@pmuens pmuens added this to the 1.54.0 milestone Oct 8, 2019
pmuens
pmuens approved these changes Oct 8, 2019
View reviewed changes
Copy link
Contributor

@pmuens pmuens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good stuff! Thanks for working on this @jessedoyle 👍

I just tested it and it works as expected 💯 LGTM :shipit:

@pmuens pmuens merged commit 36d3f01 into serverless:master Oct 8, 2019
@jessedoyle jessedoyle deleted the s3-deployment-block-public branch October 8, 2019 13:47
@mfogel mfogel mentioned this pull request Nov 25, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmuens pmuens pmuens approved these changes

Assignees

@pmuens pmuens

Labels
cat/deployment enhancement
Projects
None yet
Milestone
1.54.0
Development

Successfully merging this pull request may close these issues.

Default deploymentBucket should enable S3 block public access
3 participants
@jessedoyle @pmuens @medikoo