This is an effort to create a group of cloudformation resources which implement a security baseline as a parameter to their creation, which influences their default configuration to help keep up with the latest recommendations.
For more background on this problem take a look at my blog post Why isn't my s3 bucket secure?.
Keeping things simple for developers this is all that is required to create an S3 bucket with the baseline selected at creation.
AWSTemplateFormatVersion: "2010-09-09"
Transform:
- "YOUR_ACCOUNT_ID::SecurityTransform"
Resources:
MyDataBucket:
Type: Secure::S3::Bucket
Properties:
Baseline: standards/aws-foundational-security-best-practices/v/1.0.0After the magic of translation this becomes.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyDataBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
}
}
}
}So without any effort at all a developer has satisfied most of the security controls in AWS Foundational Security Best Practices controls for creating s3 bucket resources.
S3.1 S3 Block Public Access setting should be enabled S3.2 S3 buckets should prohibit public read access S3.3 S3 buckets should prohibit public write access S3.4 S3 buckets should have server-side encryption enabled
- AWS Security Hub User Guide
- AWS Foundational Security Best Practices controls
- CIS Amazon Web Services Foundations 1.2.0 (PDF)
This code is released under Apache 2.0 license and is copyright Mark Wolfe.