CloudFormation custom resource for blocking public S3 buckets for an entire account

The custom resource in this repository enables you to use the newly added S3 feature for blocking the creation of public S3 buckets in an AWS account. Please read my blog post for more information: blocking account-wide creation of public S3 buckets through a CloudFormation custom resource.

Note that this custom resource enables all features for blocking the creation of public S3 buckets. See the original blog post linked above for more information on the different features now available.

The Lambda function is now deployed with minimal permissions. At the time of writing, I have not yet been able to find the specific IAM permissions needed to execute the put_public_access_block and the delete_public_access_block API calls. I have of course tried the obvious (s3:DeletePublicAccessBlock and s3:PutPublicAccessBlock), but these do not work. As it works with s3:*, I have decided to use this for now. As this is definitely not following the security least-privilege principle, I would very much like to replace this with the proper permissions. If you happen to know what permissions to place here, please leave a comment in my blog or send me a message on Twitter.

Requirements

• AWS CLI with Administrator permission
• Python 3 installed
• Pipenv installed
  • pip install pipenv

Usage

First, change the first line in the Makefile to specify your S3 bucket to which to upload the SAM artifacts. Then, run the following command to deploy the stack:

make deploy

This first will initialize your environment using the following steps:

• Setup a virtual environment using pipenv
• Download the dependencies into the build/ directory
• Copy the source code into the build/ directory

You can now start using this custom resource. An example on how to use it is in the stack.yaml file. You can deploy this stack using the following command:

make deploy-stack