By using AWS re:Post, you agree to the Terms of Use

Filter CloudTrail event in IAM policy

0

I need to create a Org SCP to deny "s3:PutBucketPublicAccessBlock" action. What I current have:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyChaningBucketPublicAccessSetting",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

This will prevent users from changing this setting on existing buckets. However, when creating new buckets, this policy also prevents users from applying "Block public access (bucket settings)", and the result is that bucket is created, but all block public access boxes are unchecked.

Looking at CloudTrail event for this particular API PutBucketPublicAccessBlock, I can see this attribute 'requestParameters'

    "requestParameters": {
        "publicAccessBlock": "",
        "bucketName": "testbucket",
        "PublicAccessBlockConfiguration": {
            "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
            "RestrictPublicBuckets": true,
            "BlockPublicPolicy": true,
            "BlockPublicAcls": true,
            "IgnorePublicAcls": true
        },
        "Host": "testbucket.s3.us-east-1.amazonaws.com"
    },

Is it possible to add a 'Condition' key to IAM JSON to filter for above CloudTrail event data?

1 Answer
0

Hello,

Currently, it is not possible to restrict bucket creation action based on "Block Public Access" settings used by the user/role while creating the S3 bucket. You can use the 'block public access' settings feature on account level via CLI/SDK or AWS management console[1]. Once this setting is enabled, all the buckets are made private including the ones that are yet to be created. However, if you do have public S3 buckets then it will alter your existing setup.

There is currently a feature request that is logged to make this use case possible through conditions keys. Unfortunately, we won’t be able to provide you with an ETA on when this feature might be released as I have no visibility over that process. However, all of our new announcements and releases can be found in our What's New page [1] and our Official Blog [2].

[1]What's New with AWS - https://aws.amazon.com/new/

[2]AWS News Blog - https://aws.amazon.com/blogs/aws/

SUPPORT ENGINEER
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions