Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Terraform how to restrict s3 objects from being public

Using Terraform, I am declaring an s3 bucket and associated policy document, along with an iam_role and iam_role_policy.

The s3 bucket is creating fine in AWS however the bucket is listed as "Access: Objects can be public", and want the objects to be private. How can I explicitly make the objects private?

   resource "aws_s3_bucket" "app" {
          bucket = "${data.aws_caller_identity.current.account_id}-app"
        
          server_side_encryption_configuration {
            rule {
              apply_server_side_encryption_by_default {
                sse_algorithm     = "AES256"
              }
            }
          }
        }
    
    data "aws_iam_policy_document" "app_s3_policy" {
      statement {
        effect = "Allow"
    
        actions = [
          "s3:PutObject"
        ]
    
        resources = [
          aws_s3_bucket.app.arn,
          "${aws_s3_bucket.app.arn}/*"
        ]
      }
    }
like image 482
William Ross Avatar asked May 04 '21 17:05

William Ross


People also ask

How do I block public access to S3 bucket in Terraform?

To control the access of the S3 bucket you need to use the aws_s3_bucket_public_access_block resource in your Terraform code as shown below.

How do I restrict an S3 bucket in public access?

Amazon S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level, now and in the future by using S3 Block Public Access. To ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access.

Can a private S3 bucket have public objects?

Steps to allow public access to private AWS S3 bucket files: Click on the private S3 bucket with the object that you want to make public. Click on the Permissions tab. Click Edit on the Block public access section. Click on the Block all public access to uncheck and disable the options.

Why S3 bucket should not be public?

Users can control the accessibility and privacy of their S3 buckets in bucket policy. It is recommended that AWS S3 buckets should not be publicly accessible to other users in AWS. Publicly accessible S3 bucket means that other AWS users can access your data stored in the bucket which can lead to misuse of the data.

How to use S3 as a backend in TerraForm?

If you want to use S3 as a backend in Terraform, first, you must create an S3 bucket and then specify that bucket in your config file as backend. Now we create our S3 bucket for remote state and Amazon DynamoDB table for Locking state.

How do I prevent terraform from deleting resources?

Be Explicit with Terraform Resources Even though you can prevent deletion of resources using the prevent_destroyattribute, you must still prevent Terraform from detecting changes to your resource. If not, you will just be faced with the error that informs you of your resource attempting to be destroyed.

Does terraform ignore leading /s in the key?

Terraform ignores all leading /s in the object's key and treats multiple /s in the rest of the object's key as a single /, so values of /index.html and index.html correspond to the same S3 object as do first//second///third// and first/second/third/.

Why do we need to keep S3 buckets private?

Keeping S3 buckets private, even when they hold publicly accessible assets such as static website files, is critical for cloud infrastructure security. The approach of using a CloudFront OAI to access a private S3 bucket is very easy to configure, and AWS recommends implementing it.


Video Answer


1 Answers

The easiest way to block all objects in a bucket from ever being public is to attach an aws_s3_bucket_public_access_block resource to the bucket. It would look like this:

resource "aws_s3_bucket_public_access_block" "app" {
  bucket = aws_s3_bucket.app.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
like image 171
Mark B Avatar answered Nov 15 '22 08:11

Mark B