From 9a1a33dffd5bf7f34a62dec86579a3c492036075 Mon Sep 17 00:00:00 2001
From: Michael Wittig <michael@widdix.de>
Date: Thu, 17 Aug 2023 17:34:20 +0200
Subject: [PATCH 1/2] fix: Ownership controls & public access block config

---
 module.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/module.yml b/module.yml
index a048a9c..2639d78 100644
--- a/module.yml
+++ b/module.yml
@@ -96,7 +96,7 @@ Conditions:
   HasPartitionPublic: !Equals [!Ref 'AWS::Partition', 'aws']
   HasPartitionChina: !Equals [!Ref 'AWS::Partition', 'aws-cn']
   HasPartitionUsGov: !Equals [!Ref 'AWS::Partition', 'aws-us-gov']
-  HasPublicAccessBlock: !Not [!Condition HasPublicReadAccess]
+  HasBlockPublicAccess: !Not [!Condition HasPublicReadAccess]
 Resources:
   PolicyLambdaEventTarget1:
     Type: 'AWS::IAM::Policy'
@@ -224,7 +224,8 @@ Resources:
         - !If [HasLambdaEventTargetLambdaModule2, {Event: !Ref LambdaEventType2, Function: {'Fn::ImportValue': !Sub '${LambdaEventTargetLambdaModule2}-Arn'}}, !Ref 'AWS::NoValue']
         - !If [HasLambdaEventTargetLambdaModule3, {Event: !Ref LambdaEventType3, Function: {'Fn::ImportValue': !Sub '${LambdaEventTargetLambdaModule3}-Arn'}}, !Ref 'AWS::NoValue']
         # QueueConfigurations: # Using SQS as a target does not work because the SQS queue policy can not be restricted to an AWS account (only to single S3 buckets which is not possible because we don't have that information (cyclic dependency)).
-      PublicAccessBlockConfiguration: !If [HasPublicAccessBlock, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, !Ref 'AWS::NoValue'] # AWS Foundational Security Best Practices v1.0.0 S3.8
+      OwnershipControls: !If [HasBlockPublicAccess, {Rules: [{ObjectOwnership: BucketOwnerEnforced}]}, {Rules: [{ObjectOwnership: BucketOwnerPreferred}]}]
+      PublicAccessBlockConfiguration: !If [HasBlockPublicAccess, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, {BlockPublicAcls: true, BlockPublicPolicy: false, IgnorePublicAcls: true, RestrictPublicBuckets: false}] # AWS Foundational Security Best Practices v1.0.0 S3.8
       VersioningConfiguration: !If [HasVersioning, {Status: Enabled}, !If [HadVersioning, {Status: Suspended}, !Ref 'AWS::NoValue']]
       BucketEncryption: !If [HasKmsKeyModule, {ServerSideEncryptionConfiguration: [{ServerSideEncryptionByDefault: {KMSMasterKeyID: {'Fn::ImportValue': !Sub '${KmsKeyModule}-Arn'}, SSEAlgorithm: 'aws:kms'}}]}, !Ref 'AWS::NoValue']
   BucketPolicyPrivate:

From 45fff52ad9ccd242235c3549ac408e3a9041ca8a Mon Sep 17 00:00:00 2001
From: Michael Wittig <michael@widdix.de>
Date: Fri, 18 Aug 2023 10:21:24 +0200
Subject: [PATCH 2/2] add missing test

---
 test/access.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/test/access.js b/test/access.js
index 2600ce0..34de189 100644
--- a/test/access.js
+++ b/test/access.js
@@ -88,3 +88,14 @@ test.serial('FlowLogWrite', async t => {
     t.pass();
   }
 });
+
+test.serial('Custom', async t => {
+  const stackName = cfntest.stackName();
+  try {
+    t.log(await cfntest.createStack(`${__dirname}/access.yml`, stackName, {Access: 'FlowLogWrite'}));
+    // what could we test here?
+  } finally {
+    t.log(await cfntest.deleteStack(stackName));
+    t.pass();
+  }
+});