Skip to content

fix: Ownership controls & public access block config #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
michaelwittig wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: Ownership controls & public access block config #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9a1a33d
fix: Ownership controls & public access block config
michaelwittig Aug 17, 2023
45fff52
add missing test
michaelwittig Aug 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions module.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ Conditions:
HasPartitionPublic: !Equals [!Ref 'AWS::Partition', 'aws']
HasPartitionChina: !Equals [!Ref 'AWS::Partition', 'aws-cn']
HasPartitionUsGov: !Equals [!Ref 'AWS::Partition', 'aws-us-gov']
HasPublicAccessBlock: !Not [!Condition HasPublicReadAccess]
HasBlockPublicAccess: !Not [!Condition HasPublicReadAccess]
Resources:
PolicyLambdaEventTarget1:
Type: 'AWS::IAM::Policy'
Expand Down Expand Up @@ -224,7 +224,8 @@ Resources:
- !If [HasLambdaEventTargetLambdaModule2, {Event: !Ref LambdaEventType2, Function: {'Fn::ImportValue': !Sub '${LambdaEventTargetLambdaModule2}-Arn'}}, !Ref 'AWS::NoValue']
- !If [HasLambdaEventTargetLambdaModule3, {Event: !Ref LambdaEventType3, Function: {'Fn::ImportValue': !Sub '${LambdaEventTargetLambdaModule3}-Arn'}}, !Ref 'AWS::NoValue']
# QueueConfigurations: # Using SQS as a target does not work because the SQS queue policy can not be restricted to an AWS account (only to single S3 buckets which is not possible because we don't have that information (cyclic dependency)).
PublicAccessBlockConfiguration: !If [HasPublicAccessBlock, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, !Ref 'AWS::NoValue'] # AWS Foundational Security Best Practices v1.0.0 S3.8
OwnershipControls: !If [HasBlockPublicAccess, {Rules: [{ObjectOwnership: BucketOwnerEnforced}]}, {Rules: [{ObjectOwnership: BucketOwnerPreferred}]}]
PublicAccessBlockConfiguration: !If [HasBlockPublicAccess, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, {BlockPublicAcls: true, BlockPublicPolicy: false, IgnorePublicAcls: true, RestrictPublicBuckets: false}] # AWS Foundational Security Best Practices v1.0.0 S3.8
VersioningConfiguration: !If [HasVersioning, {Status: Enabled}, !If [HadVersioning, {Status: Suspended}, !Ref 'AWS::NoValue']]
BucketEncryption: !If [HasKmsKeyModule, {ServerSideEncryptionConfiguration: [{ServerSideEncryptionByDefault: {KMSMasterKeyID: {'Fn::ImportValue': !Sub '${KmsKeyModule}-Arn'}, SSEAlgorithm: 'aws:kms'}}]}, !Ref 'AWS::NoValue']
BucketPolicyPrivate:
Expand Down
11 changes: 11 additions & 0 deletions test/access.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,3 +88,14 @@ test.serial('FlowLogWrite', async t => {
t.pass();
}
});

test.serial('Custom', async t => {
const stackName = cfntest.stackName();
try {
t.log(await cfntest.createStack(`${__dirname}/access.yml`, stackName, {Access: 'FlowLogWrite'}));
// what could we test here?
} finally {
t.log(await cfntest.deleteStack(stackName));
t.pass();
}
});