Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

With Cloud-formation unable to enable s3 public access ON in Account

0

Hi team, Need help, trying to leverage CFN template to block S3 bucket public access from Account level, Idea is run this cfn template as stack set and roll out across multiple accounts/OUs under organizations.

I am using below code but that is giving an error while trying to create CF stack in the console , error given as "S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html". Please let me know if any questions .

AWSTemplateFormatVersion: 2010-09-09 Description: Enable S3 public access block at account level

Resources: S3AccountPublicAccessBlock: Type: AWS::S3::AccountPublicAccessBlock Properties: PublicAccessBlockConfiguration: BlockPublicAcls: True IgnorePublicAcls: True BlockPublicPolicy: True RestrictPublicBuckets: True

Argomenti
ArchiviazioneGestione e amministrazione
Tag
Servizio di archiviazione semplice di AmazonAWS CloudFormation
Lingua
English
Suddhasil
posta un mese fa339 visualizzazioni
2 Risposte
0

Hello.

I can't find the resource type "AWS::S3::AccountPublicAccessBlock" in the documentation, but is it a commonly used resource type?
I thought maybe it's not supported by CloudFormation.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/AWS_S3.html

I thought that if I were to use CloudFormation, I would need to create a custom resource and create a Lambda that executes things like "put_public_access_block()".
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control/client/put_public_access_block.html#

profile picture
ESPERTO
Riku_Kobayashi
con risposta un mese fa
profile pictureAWS
ESPERTO
Matt-B
verificato un mese fa
0

Hi There

AWS::S3::AccountPublicAccessBlock is not a valid CloudFormation resource type. You wont be able to put an account level public access block using CloudFormation.

Here are the supported ways of applying an account-level block: https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html

For example, you can use the CLI via the s3control api. See https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/put-public-access-block.html.

Once you set Block Public Access on the accounts, you can add an SCP to disallow changes to this configuration.

See this previous post which details the SCP: https://repost.aws/questions/QUUsKRARa1TmywIed1_9JpbA/scp-to-enable-block-s3-public-access

profile pictureAWS
ESPERTO
Matt-B
con risposta un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente