Security Modules 1.4.0Last updated in version 1.4.0

S3 Account Public Access Block

View Source Release Notes

This Terraform Module configures Amazon S3 Account-Level Public Access Block settings. When enabled, these settings block public access to all S3 buckets in the account, providing a safety net against accidental public exposure of data.

Features

• Block public ACLs for all S3 buckets in the account

• Block public bucket policies for all S3 buckets in the account

• Ignore public ACLs on all S3 buckets in the account

• Restrict public bucket policies on all S3 buckets in the account

• All four settings default to true for maximum security

• Supports conditional resource creation via the create_resources variable

Learn

Note

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

• Blocking Public Access to Amazon S3 Storage

• CIS AWS Foundations Benchmark - S3 Controls

Repo organization

• modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

• examples: This folder contains working examples of how to use the submodules.

• test: Automated tests for the modules and examples.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this module out, check out the following resources:

• examples/s3-account-public-access-block: A sample configuration optimized for learning, experimenting, and testing (but not production usage).

Production deployment

If you want to deploy this module in production, check out the following resources:

• How to configure a production-grade AWS account structure

Sample Usage

Terraform

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S S3-ACCOUNT-PUBLIC-ACCESS-BLOCK MODULE
# ------------------------------------------------------------------------------------------------------

module "s_3_account_public_access_block" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/s3-account-public-access-block?ref=v1.4.0"

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Whether Amazon S3 should block public ACLs for buckets in this account.
  block_public_acls = true

  # Whether Amazon S3 should block public bucket policies for buckets in this
  # account.
  block_public_policy = true

  # Set to false to have this module skip creating resources. This weird
  # parameter exists solely because Terraform does not support conditional
  # modules. Therefore, this is a hack to allow you to conditionally decide if
  # the resources in this module should be created or not.
  create_resources = true

  # Whether Amazon S3 should ignore public ACLs for buckets in this account.
  ignore_public_acls = true

  # Whether Amazon S3 should restrict public bucket policies for buckets in this
  # account.
  restrict_public_buckets = true

}

Terragrunt

terragrunt.hcl

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S S3-ACCOUNT-PUBLIC-ACCESS-BLOCK MODULE
# ------------------------------------------------------------------------------------------------------

terraform {
  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/s3-account-public-access-block?ref=v1.4.0"
}

inputs = {

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Whether Amazon S3 should block public ACLs for buckets in this account.
  block_public_acls = true

  # Whether Amazon S3 should block public bucket policies for buckets in this
  # account.
  block_public_policy = true

  # Set to false to have this module skip creating resources. This weird
  # parameter exists solely because Terraform does not support conditional
  # modules. Therefore, this is a hack to allow you to conditionally decide if
  # the resources in this module should be created or not.
  create_resources = true

  # Whether Amazon S3 should ignore public ACLs for buckets in this account.
  ignore_public_acls = true

  # Whether Amazon S3 should restrict public bucket policies for buckets in this
  # account.
  restrict_public_buckets = true

}

Reference

Inputs

Optional

block_public_aclsbooloptional

Whether Amazon S3 should block public ACLs for buckets in this account.

Default:true

block_public_policybooloptional

Whether Amazon S3 should block public bucket policies for buckets in this account.

Default:true

create_resourcesbooloptional

Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the resources in this module should be created or not.

Default:true

ignore_public_aclsbooloptional

Whether Amazon S3 should ignore public ACLs for buckets in this account.

Default:true

restrict_public_bucketsbooloptional

Whether Amazon S3 should restrict public bucket policies for buckets in this account.

Default:true

Outputs

block_public_acls

Whether public ACLs are blocked.

block_public_policy

Whether public bucket policies are blocked.

id

The AWS account ID of the S3 account public access block.

ignore_public_acls

Whether Amazon S3 should ignore public ACLs for buckets in this account.

restrict_public_buckets

Whether Amazon S3 should restrict public bucket policies for buckets in this account.