Enforcing Public Block Access on S3 Bucket automatically

Overview

I. Terraform Providers

II. Modules

  • s3-scan-public
  • IAM roles and policies
  • CloudWatch Events
  • Lambda
  • SNS Notification

III. Lambda function

$ virtualenv -p python3 venv
Running virtualenv with interpreter /usr/local/bin/python3
Using base prefix '/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7'
New python executable in /Users/oli/Documents/venv/bin/python3.7
Also creating executable in /Users/oli/Documents/venv/bin/python
Installing setuptools, pip, wheel...
done.$ source venv/bin/activate

IV. SSM Parameters

  • s3-public-exception-list: List of S3 Buckets excluded from Scan(StringList type)
  • default-source-email: Default name used as a source (String type)
  • default-destination-emails: List of email recipients (StringList type)
SSM Parameters configuration

V. Deploy

21:12 $ ./python_packages.sh
Requirement already satisfied: pytest in /Users/oli/Documents/terraform_s3_public_notifications/venv/lib/python3.7/site-packages
[...]~/Documents/terraform_s3_public_notifications/modules/s3-scan-public ~/Documents/terraform_s3_public_notifications/modules-------------------------------------------------------------------
Your code has been rated at 10.00/10 (previous run: 9.22/10, +0.78)
~/Documents/terraform_s3_public_notifications/modules
~/Documents/terraform_s3_public_notifications/modules/s3-scan-public ~/Documents/terraform_s3_public_notifications/modules
adding: s3_public.py (deflated 70%)
~/Documents/terraform_s3_public_notifications/modules
21:13 $ terraform init
Initializing modules...
Initializing the backend...Initializing provider plugins...The following providers do not have any version constraints in configuration,
so the latest version was installed.
[...]
(venv) ✔ ~/Documents/terraform_s3_public_notifications [master|✔]
21:51 $ terraform apply
module.s3-public-lambda.data.aws_ssm_parameter.s3_public_emails: Refreshing state...
module.s3-public-lambda.data.aws_caller_identity.current: Refreshing state...
module.s3-public-lambda.data.aws_ssm_parameter.display_name: Refreshing state...
module.s3-public-lambda.data.template_file.cloudformation_sns_stack: Refreshing state...
[...]Plan: 15 to add, 0 to change, 0 to destroy.Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yesmodule.s3-public-lambda.aws_iam_policy.s3_public_log_policy: Creating...
module.s3-public-lambda.aws_cloudwatch_event_rule.schedule: Creating...
module.s3-public-lambda.aws_iam_policy.access_ssm_policy: Creating...
module.s3-public-lambda.aws_iam_policy.access_s3_policy: Creating...
module.s3-public-lambda.aws_iam_role.lambda_s3_public_role: Creating...
module.s3-public-lambda.aws_cloudformation_stack.sns_topic: Creating...
[...]
Confirmation email of subscription

VI. Details of this repository

  • List all your existing buckets
  • Compare this list with the exempt list of S3 Buckets present in your SSM parameter
  • Check if Public Access Block ACL is applied on each of your bucket
  • Apply Public Access Block ACL on your bucket if it wasn’t apply
  • Notify by SNS notification

VII. Testing

AWS Lambda test
Email notification

--

--

--

Cloud technologies and solutions lover, https://cdcloudlogix.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Six of The Best Python Libraries for finance

Faster Git Workflow With Git Aliases

What Factors Influence the Cost of Web Application Development

Full Stack Development in 2020

A complete roadmap to become full stack developer

Pontem Web3 Foundation Grant

Are You Using Labels To Optimize Your Buckets To-Do List?

History | Operating Systems

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Olivier Butterbach

Olivier Butterbach

Cloud technologies and solutions lover, https://cdcloudlogix.com

More from Medium

aws_elastic_lb & aws_elastic_ip

An approach for building infrastructure as a code

Infrastructure as Code (IaC): Understanding the essentials

How to set up WordPress with a dedicated Database Server along with NAT Gateway on AWS Cloud?