By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

With Cloud-formation unable to enable s3 public access ON in Account

0

Hi team, Need help, trying to leverage CFN template to block S3 bucket public access from Account level, Idea is run this cfn template as stack set and roll out across multiple accounts/OUs under organizations.

I am using below code but that is giving an error while trying to create CF stack in the console , error given as "S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html". Please let me know if any questions .

AWSTemplateFormatVersion: 2010-09-09 Description: Enable S3 public access block at account level

Resources: S3AccountPublicAccessBlock: Type: AWS::S3::AccountPublicAccessBlock Properties: PublicAccessBlockConfiguration: BlockPublicAcls: True IgnorePublicAcls: True BlockPublicPolicy: True RestrictPublicBuckets: True

Topics
StorageManagement & Governance
Tags
Amazon Simple Storage ServiceAWS CloudFormation
Language
English
Suddhasil
asked 22 days ago315 views
2 Answers
0

Hello.

I can't find the resource type "AWS::S3::AccountPublicAccessBlock" in the documentation, but is it a commonly used resource type?
I thought maybe it's not supported by CloudFormation.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/AWS_S3.html

I thought that if I were to use CloudFormation, I would need to create a custom resource and create a Lambda that executes things like "put_public_access_block()".
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control/client/put_public_access_block.html#

profile picture
EXPERT
Riku_Kobayashi
answered 22 days ago
profile pictureAWS
EXPERT
Matt-B
reviewed 21 days ago
0

Hi There

AWS::S3::AccountPublicAccessBlock is not a valid CloudFormation resource type. You wont be able to put an account level public access block using CloudFormation.

Here are the supported ways of applying an account-level block: https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html

For example, you can use the CLI via the s3control api. See https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3control/put-public-access-block.html.

Once you set Block Public Access on the accounts, you can add an SCP to disallow changes to this configuration.

See this previous post which details the SCP: https://repost.aws/questions/QUUsKRARa1TmywIed1_9JpbA/scp-to-enable-block-s3-public-access

profile pictureAWS
EXPERT
Matt-B
answered 22 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content