Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[question] private is not real private access #7

Closed
ozbillwang opened this issue Nov 7, 2019 · 5 comments
Closed

[question] private is not real private access #7

ozbillwang opened this issue Nov 7, 2019 · 5 comments

Comments

@ozbillwang
Copy link

ozbillwang commented Nov 7, 2019
edited
Loading

Apply the s3 bucket change with this module with option

    acl    = "private"

But the real bucket's access status is Objects can be public, which I want to set the bucket with private as Bucket and objects not public

What option should I go with?

reference:

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access.html

Viewing Access Status

The list buckets view shows whether your bucket is publicly accessible. Amazon S3 labels the permissions for a bucket as follows:

Public – Everyone has access to one or more of the following: List objects, Write objects, Read and write permissions.

Objects can be public – The bucket is not public, but anyone with the appropriate permissions can grant public access to objects.

Buckets and objects not public – The bucket and objects do not have any public access.

Only authorized users of this account – Access is isolated to IAM users and roles in this account and AWS service principals because there is a policy that grants public access.

go through this url, seems no one is suitable

https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
@ozbillwang
Copy link
Author

ozbillwang commented Nov 7, 2019
edited
Loading

https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/

https://www.terraform.io/docs/providers/aws/r/s3_bucket_public_access_block.html

All four options need be set to true

@antonbabenko
Copy link
Member

Hi, Bill!

Yes, you are right. This module has to implement aws_s3_bucket_public_access_block resource as well.

I will reopen this issue as a reminder for myself when I work on this.

@antonbabenko antonbabenko reopened this Nov 7, 2019
@serhatcetinkaya serhatcetinkaya mentioned this issue Mar 2, 2020
Merged
@antonbabenko
Copy link
Member

Hi all,

v1.6.0 has been just released. It has support for blocking public access, see an example:

terraform-aws-s3-bucket/examples/complete/main.tf

Lines 178 to 182 in 0b4680a

// S3 bucket-level Public Access Block configuration
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true

yarda7 pushed a commit to yarda7/terraform-aws-s3-bucket that referenced this issue Jan 20, 2021
@rberlind
Merge pull request terraform-aws-modules#7 from hashicorp/revert-to-y…
628932a 
…esterday

revert to yesterday's version
@hanswesterbeek
Copy link

Ok so one must add:

resource "aws_s3_bucket_public_access_block" "all_private" {
  bucket = aws_s3_bucket.nicebucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 29, 2022
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hanswesterbeek @antonbabenko @ozbillwang