Restrict public S3 buckets with WRITE permissions

WORKFLOW

This workflow looks at all of the public S3 buckets in a given account and restricts those that provide 'WRITE' access. Requires an AWS account with permissions to modify S3 buckets.

Source

View on GitHub

Code

Relay uses YAML to define the steps in a workflow.

Graph

Each step in the workflow is visualized below.

This workflow looks at all of the public S3 buckets in a given account and restricts those that provide 'WRITE' access.

It evaluates all buckets for a grant that includes:

Group containing "http://acs.amazonaws.com/groups/global/AllUsers"
Permission containing "WRITE"

These buckets will be restricted to be 'private'.

Prerequisites

Before you run this workflow, you will need the following:

An AWS account.
An AWS IAM user with permissions to list and modify S3 buckets (if not run in dry run mode).
One or more S3 buckets that are public and provide 'WRITE' access.

Run the workflow

Follow these steps to run the workflow:

Add your AWS credentials as a Connection:
- Click Setup
- Find the Connection named my-aws-account and click Edit(✎). Use the following values:
  - KEY: ACCESS KEY ID
  - VALUE: Enter your AWS access key id associated with the account
  - KEY: SECRET ACCESS KEY
  - VALUE: Enter your AWS secret access key associated with the account
- Click Save
Click Run workflow and wait for the workflow run page to appear.
Supply following parameters to the modal:
- KEY: dryRun
- VALUE: True if you dont want to actually delete the resources. Use this to test the workflow and ensure it is behaving as expected.
Warning: If you run the workflow with the dryRun parameter set to false, buckets not in compliance with this workflow policy will immediately be modified to be 'private'.

Run the workflow on a schedule

Follow these steps to run this workflow on a schedule:

Un-comment out the Trigger block in the workflow file:

TIP: If you're using the Relay code editor, highlight the triggers section and type ⌘ + / (Mac) or Ctrl + / (Windows) to uncomment.

# triggers:
# - name: schedule
#   source:
#     type: schedule
#     schedule: '0 * * * *'
#   binding:
#     parameters:
#       dryRun: true

Configure the schedule trigger:
- Supply the run interval in cron format.
Configure the following parameter bindings:
- Specify whether dryRun should be set to true or false.
Click Save changes

Restrict public S3 buckets with WRITE permissions

Source

Code

Graph

Prerequisites

Run the workflow

Run the workflow on a schedule

Get started

Join our community

Ready to get started?

Documentation

Blog

Privacy policy

Terms of Use

Pricing

Privacy policy

Terms of Use

Solution

Solution

Solution

Restrict public S3 buckets with WRITE permissions

Integrations used

Source

Code

Graph

Prerequisites

Run the workflow

Run the workflow on a schedule

Get started

Join our community

Ready to get started?

Documentation

Blog

Privacy policy

Terms of Use

Pricing

Privacy policy

Terms of Use