[IT-4074] Enable access flags for S3 buckets (#341)

zaro0508 · web-flow · commit b6245662c84d · 2025-04-02T12:42:54.000-07:00
Security hub says we should enable per bucket access flags
when creating buckets to make sure they are private.
diff --git a/templates/s3/sc-s3-encrypted-ra.yaml b/templates/s3/sc-s3-encrypted-ra.yaml
@@ -37,6 +37,11 @@ Resources:
     UpdateReplacePolicy: Retain
     Properties:
       BucketName: !If [HasBucketName, !Ref BucketName, !Ref 'AWS::NoValue']
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       BucketEncryption:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
diff --git a/templates/s3/sc-s3-synapse-ra.yaml b/templates/s3/sc-s3-synapse-ra.yaml
@@ -47,6 +47,11 @@ Resources:
     UpdateReplacePolicy: Retain
     Properties:
       BucketName: !If [HasBucketName, !Ref BucketName, !Ref 'AWS::NoValue']
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       BucketEncryption:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
