Restrict S3 buckets with READ_ACP permissions to all Authenticated Users
This workflow looks at all of the S3 buckets in a given account and restricts those that provide 'READ_ACP' access to all Authenticated Users. Requires an AWS account with permissions to modify S3 buckets.
This workflow looks at all of the S3 buckets in a given account and restricts those that provide 'READ' access to all Authenticated Users.
It evaluates all buckets for a grant that includes:
- Group containing "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
- Permission containing "READ"
These buckets will be restricted to be 'private'.
Before you run this workflow, you will need the following:
- An AWS account.
- An AWS IAM user with permissions to list and modify S3 buckets (if not run in dry run mode).
- One or more S3 buckets that provide 'READ' access to all Authenticated Users.
Run the workflow
Follow these steps to run the workflow:
Add your AWS credentials as a Connection:
- Click Setup
- Find the Connection named
my-aws-accountand click Edit(✎). Use the following values:
ACCESS KEY ID
- VALUE: Enter your AWS access key id associated with the account
SECRET ACCESS KEY
- VALUE: Enter your AWS secret access key associated with the account
- Click Save
Click Run workflow and wait for the workflow run page to appear.
Supply following parameters to the modal:
- VALUE: True if you dont want to actually delete the resources. Use this to test the workflow and ensure it is behaving as expected.
Warning: If you run the workflow with the
dryRunparameter set to
false, buckets not in compliance with this workflow policy will immediately be modified to be 'private'.
Run the workflow on a schedule
Follow these steps to run this workflow on a schedule:
- Un-comment out the Trigger block in the workflow file:
TIP: If you're using the Relay code editor, highlight the
triggerssection and type
⌘ + /(Mac) or
Ctrl + /(Windows) to uncomment.
# triggers: # - name: schedule # source: # type: schedule # schedule: '0 * * * *' # binding: # parameters: # dryRun: true
- Configure the
- Supply the run interval in cron format.
- Configure the following parameter bindings:
- Specify whether
dryRunshould be set to
- Specify whether
- Click Save changes