SCP to enable "Block S3 Public Access"

0

Dear Team - Can anyone help me on best way to implement SCP to block the S3 public read access. It should not impact the existing one and only deny when someone trying to create the new bucket and add Policy/ACL for public access. I tried below but still users are able to create new bucket and can apply s3 policy for public read access.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutAccountPublicAccessBlock" ], "Resource": "*", "Effect": "Deny" } ] }

2回答
0
承認された回答

Hi, this SCP works for me: (you need an additional s3:PutBucketPublicAccessBlock)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutBucketPublicAccessBlock",
        "s3:PutAccountPublicAccessBlock"
      ],
      "Resource": "*",
      "Effect": "Deny"
    }
  ]
}

Also note that SCP doesn't apply to the Organization's management account. You can only restrict bucket public access for member accounts.

profile picture
HS
回答済み 7ヶ月前
  • Just to confirm, this will not impact the existing public accessible S3 bucket and only apply to new bucket, right ?

0

Just to confirm, this will not impact the existing public accessible S3 bucket and only apply to new bucket, right ?

Right. It will not affect the existing bucket.

In my case, 229660767790-public and 229660767790-private are existing buckets before the SCP was applied, and 229660767790-public2 is the new bucket after the SCP was applied.

I failed to make 229660767790-public2 public, but 229660767790-public is still public.

Enter image description here

Nevertheless, you should test this policy yourself before applying to the production.

profile picture
HS
回答済み 7ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ