By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Filter CloudTrail event in IAM policy

0

I need to create a Org SCP to deny "s3:PutBucketPublicAccessBlock" action. What I current have:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyChaningBucketPublicAccessSetting",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

This will prevent users from changing this setting on existing buckets. However, when creating new buckets, this policy also prevents users from applying "Block public access (bucket settings)", and the result is that bucket is created, but all block public access boxes are unchecked.

Looking at CloudTrail event for this particular API PutBucketPublicAccessBlock, I can see this attribute 'requestParameters'

    "requestParameters": {
        "publicAccessBlock": "",
        "bucketName": "testbucket",
        "PublicAccessBlockConfiguration": {
            "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
            "RestrictPublicBuckets": true,
            "BlockPublicPolicy": true,
            "BlockPublicAcls": true,
            "IgnorePublicAcls": true
        },
        "Host": "testbucket.s3.us-east-1.amazonaws.com"
    },

Is it possible to add a 'Condition' key to IAM JSON to filter for above CloudTrail event data?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
rePost-User-2063218
asked 2 years ago385 views
1 Answer
0

Hello,

Currently, it is not possible to restrict bucket creation action based on "Block Public Access" settings used by the user/role while creating the S3 bucket. You can use the 'block public access' settings feature on account level via CLI/SDK or AWS management console[1]. Once this setting is enabled, all the buckets are made private including the ones that are yet to be created. However, if you do have public S3 buckets then it will alter your existing setup.

There is currently a feature request that is logged to make this use case possible through conditions keys. Unfortunately, we won’t be able to provide you with an ETA on when this feature might be released as I have no visibility over that process. However, all of our new announcements and releases can be found in our What's New page [1] and our Official Blog [2].

[1]What's New with AWS - https://aws.amazon.com/new/

[2]AWS News Blog - https://aws.amazon.com/blogs/aws/

AWS
SUPPORT ENGINEER
AWS-User-6158549
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content