AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Filter CloudTrail event in IAM policy

0

I need to create a Org SCP to deny "s3:PutBucketPublicAccessBlock" action. What I current have:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyChaningBucketPublicAccessSetting",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

This will prevent users from changing this setting on existing buckets. However, when creating new buckets, this policy also prevents users from applying "Block public access (bucket settings)", and the result is that bucket is created, but all block public access boxes are unchecked.

Looking at CloudTrail event for this particular API PutBucketPublicAccessBlock, I can see this attribute 'requestParameters'

    "requestParameters": {
        "publicAccessBlock": "",
        "bucketName": "testbucket",
        "PublicAccessBlockConfiguration": {
            "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
            "RestrictPublicBuckets": true,
            "BlockPublicPolicy": true,
            "BlockPublicAcls": true,
            "IgnorePublicAcls": true
        },
        "Host": "testbucket.s3.us-east-1.amazonaws.com"
    },

Is it possible to add a 'Condition' key to IAM JSON to filter for above CloudTrail event data?

주제
스토리지보안, 신원 및 규정 준수
태그
아마존 심플 스토리지 서비스보안, 신원 및 규정 준수AWS 자격 증명 및 액세스 관리IAM 정책
언어
English
rePost-User-2063218
질문됨 2년 전403회 조회
1개 답변
0

Hello,

Currently, it is not possible to restrict bucket creation action based on "Block Public Access" settings used by the user/role while creating the S3 bucket. You can use the 'block public access' settings feature on account level via CLI/SDK or AWS management console[1]. Once this setting is enabled, all the buckets are made private including the ones that are yet to be created. However, if you do have public S3 buckets then it will alter your existing setup.

There is currently a feature request that is logged to make this use case possible through conditions keys. Unfortunately, we won’t be able to provide you with an ETA on when this feature might be released as I have no visibility over that process. However, all of our new announcements and releases can be found in our What's New page [1] and our Official Blog [2].

[1]What's New with AWS - https://aws.amazon.com/new/

[2]AWS News Blog - https://aws.amazon.com/blogs/aws/

AWS
지원 엔지니어
AWS-User-6158549
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠