Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Filter CloudTrail event in IAM policy

0

I need to create a Org SCP to deny "s3:PutBucketPublicAccessBlock" action. What I current have:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyChaningBucketPublicAccessSetting",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

This will prevent users from changing this setting on existing buckets. However, when creating new buckets, this policy also prevents users from applying "Block public access (bucket settings)", and the result is that bucket is created, but all block public access boxes are unchecked.

Looking at CloudTrail event for this particular API PutBucketPublicAccessBlock, I can see this attribute 'requestParameters'

    "requestParameters": {
        "publicAccessBlock": "",
        "bucketName": "testbucket",
        "PublicAccessBlockConfiguration": {
            "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
            "RestrictPublicBuckets": true,
            "BlockPublicPolicy": true,
            "BlockPublicAcls": true,
            "IgnorePublicAcls": true
        },
        "Host": "testbucket.s3.us-east-1.amazonaws.com"
    },

Is it possible to add a 'Condition' key to IAM JSON to filter for above CloudTrail event data?

Themen
SpeicherSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceSicherheit, Identität & KonformitätAWS Identity and Access ManagementIAM-Richtlinien
Sprache
English
rePost-User-2063218
gefragt vor 2 Jahren404 Aufrufe
1 Antwort
0

Hello,

Currently, it is not possible to restrict bucket creation action based on "Block Public Access" settings used by the user/role while creating the S3 bucket. You can use the 'block public access' settings feature on account level via CLI/SDK or AWS management console[1]. Once this setting is enabled, all the buckets are made private including the ones that are yet to be created. However, if you do have public S3 buckets then it will alter your existing setup.

There is currently a feature request that is logged to make this use case possible through conditions keys. Unfortunately, we won’t be able to provide you with an ETA on when this feature might be released as I have no visibility over that process. However, all of our new announcements and releases can be found in our What's New page [1] and our Official Blog [2].

[1]What's New with AWS - https://aws.amazon.com/new/

[2]AWS News Blog - https://aws.amazon.com/blogs/aws/

AWS
SUPPORT-TECHNIKER
AWS-User-6158549
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt