使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Filter CloudTrail event in IAM policy

0

I need to create a Org SCP to deny "s3:PutBucketPublicAccessBlock" action. What I current have:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyChaningBucketPublicAccessSetting",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

This will prevent users from changing this setting on existing buckets. However, when creating new buckets, this policy also prevents users from applying "Block public access (bucket settings)", and the result is that bucket is created, but all block public access boxes are unchecked.

Looking at CloudTrail event for this particular API PutBucketPublicAccessBlock, I can see this attribute 'requestParameters'

    "requestParameters": {
        "publicAccessBlock": "",
        "bucketName": "testbucket",
        "PublicAccessBlockConfiguration": {
            "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
            "RestrictPublicBuckets": true,
            "BlockPublicPolicy": true,
            "BlockPublicAcls": true,
            "IgnorePublicAcls": true
        },
        "Host": "testbucket.s3.us-east-1.amazonaws.com"
    },

Is it possible to add a 'Condition' key to IAM JSON to filter for above CloudTrail event data?

主題
儲存空間安全性、身分識別與合規
標籤
Amazon Simple Storage Service安全性、身分識別與合規AWS Identity and Access ManagementIAM 政策
語言
English
rePost-User-2063218
已提問 2 年前檢視次數 403 次
1 個回答
0

Hello,

Currently, it is not possible to restrict bucket creation action based on "Block Public Access" settings used by the user/role while creating the S3 bucket. You can use the 'block public access' settings feature on account level via CLI/SDK or AWS management console[1]. Once this setting is enabled, all the buckets are made private including the ones that are yet to be created. However, if you do have public S3 buckets then it will alter your existing setup.

There is currently a feature request that is logged to make this use case possible through conditions keys. Unfortunately, we won’t be able to provide you with an ETA on when this feature might be released as I have no visibility over that process. However, all of our new announcements and releases can be found in our What's New page [1] and our Official Blog [2].

[1]What's New with AWS - https://aws.amazon.com/new/

[2]AWS News Blog - https://aws.amazon.com/blogs/aws/

AWS
支援工程師
AWS-User-6158549
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容