Snippets
Created by
Matt Brister
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 | Resources:
S3BucketPublicReadProhibited:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: S3BucketPublicReadProhibited
Description: >-
Checks that your Amazon S3 buckets do not allow public read access.
The rule checks the Block Public Access settings, the bucket policy, and the
bucket access control list (ACL).
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
MaximumExecutionFrequency: Six_Hours
S3PublicReadRemediation:
DependsOn: S3BucketPublicReadProhibited
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: S3BucketPublicReadProhibited
ResourceType: "AWS::S3::Bucket"
TargetId: "AWS-DisableS3BucketPublicReadWrite"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- arn:aws:iam::<account number>:role/<role>
S3BucketName:
ResourceValue:
Value: "RESOURCE_ID"
ExecutionControls:
SsmControls:
ConcurrentExecutionRatePercentage: 10
ErrorPercentage: 10
Automatic: True
MaximumAutomaticAttempts: 10
RetryAttemptSeconds: 600
S3BucketPublicWriteProhibited:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: S3BucketPublicWriteProhibited
Description: "Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL)."
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
MaximumExecutionFrequency: Six_Hours
S3PublicWriteRemediation:
DependsOn: S3BucketPublicWriteProhibited
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: S3BucketPublicWriteProhibited
ResourceType: "AWS::S3::Bucket"
TargetId: "AWS-DisableS3BucketPublicReadWrite"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- arn:aws:iam::<account number>:role/<role>
S3BucketName:
ResourceValue:
Value: "RESOURCE_ID"
ExecutionControls:
SsmControls:
ConcurrentExecutionRatePercentage: 10
ErrorPercentage: 10
Automatic: True
MaximumAutomaticAttempts: 10
RetryAttemptSeconds: 600
S3BucketServerSideEncryptionEnabled:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: S3BucketServerSideEncryptionEnabled
Description: "Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption."
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
S3BucketServerSideEncryptionEnabledRemediation:
DependsOn: S3BucketServerSideEncryptionEnabled
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: S3BucketServerSideEncryptionEnabled
ResourceType: "AWS::S3::Bucket"
TargetId: "AWS-EnableS3BucketEncryption"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- arn:aws:iam::<account number>:role/<role>
BucketName:
ResourceValue:
Value: "RESOURCE_ID"
SSEAlgorithm:
StaticValue:
Values:
- "AES256"
ExecutionControls:
SsmControls:
ConcurrentExecutionRatePercentage: 10
ErrorPercentage: 10
Automatic: True
MaximumAutomaticAttempts: 10
RetryAttemptSeconds: 600
|
Comments (0)
You can clone a snippet to your computer for local editing. Learn more.