Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

With Cloud-formation unable to enable s3 public access ON in Account

0

Hi team, Need help, trying to leverage CFN template to block S3 bucket public access from Account level, Idea is run this cfn template as stack set and roll out across multiple accounts/OUs under organizations.

I am using below code but that is giving an error while trying to create CF stack in the console , error given as "S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html". Please let me know if any questions .

AWSTemplateFormatVersion: 2010-09-09 Description: Enable S3 public access block at account level

Resources: S3AccountPublicAccessBlock: Type: AWS::S3::AccountPublicAccessBlock Properties: PublicAccessBlockConfiguration: BlockPublicAcls: True IgnorePublicAcls: True BlockPublicPolicy: True RestrictPublicBuckets: True

Temas
AlmacenamientoGestión y gobierno
Etiquetas
Amazon Simple Storage ServiceAWS CloudFormation
Idioma
English
Suddhasil
preguntada hace un mes339 visualizaciones
2 Respuestas
0

Hello.

I can't find the resource type "AWS::S3::AccountPublicAccessBlock" in the documentation, but is it a commonly used resource type?
I thought maybe it's not supported by CloudFormation.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/AWS_S3.html

I thought that if I were to use CloudFormation, I would need to create a custom resource and create a Lambda that executes things like "put_public_access_block()".
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control/client/put_public_access_block.html#

profile picture
EXPERTO
Riku_Kobayashi
respondido hace un mes
profile pictureAWS
EXPERTO
Matt-B
revisado hace un mes
0

Hi There

AWS::S3::AccountPublicAccessBlock is not a valid CloudFormation resource type. You wont be able to put an account level public access block using CloudFormation.

Here are the supported ways of applying an account-level block: https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html

For example, you can use the CLI via the s3control api. See https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/put-public-access-block.html.

Once you set Block Public Access on the accounts, you can add an SCP to disallow changes to this configuration.

See this previous post which details the SCP: https://repost.aws/questions/QUUsKRARa1TmywIed1_9JpbA/scp-to-enable-block-s3-public-access

profile pictureAWS
EXPERTO
Matt-B
respondido hace un mes

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante