feat(aws-s3): add option to specify block public access settings (#1664)

Adds option to enable all block public access settings on the bucket (`blockPublicAccess`). Also throws an error when trying to use grantPublicAccess if blockPublicAccess is set to true. https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
aws · Feb 4, 2019 · 299fb6a · 299fb6a
1 parent 91194d4
commit 299fb6a
Show file tree

Hide file tree

Showing 3 changed files with 192 additions and 1 deletion.
diff --git a/packages/@aws-cdk/aws-s3/README.md b/packages/@aws-cdk/aws-s3/README.md
@@ -208,3 +208,33 @@ bucket.onEvent(s3.EventType.ObjectRemoved, myQueue, { prefix: 'foo/', suffix: '.
 ```
 
 [S3 Bucket Notifications]: https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html
+
+
+### Block Public Access
+
+Use `blockPublicAccess` to specify [block public access settings] on the bucket.
+
+Enable all block public access settings:
+```ts
+const bucket = new Bucket(this, 'MyBlockedBucket', {
+ blockPublicAccess: BlockPublicAccess.BlockAll
+});
+```
+
+Block and ignore public ACLs:
+```ts
+const bucket = new Bucket(this, 'MyBlockedBucket', {
+ blockPublicAccess: BlockPublicAccess.BlockAcls
+});
+```
+
+Alternatively, specify the settings manually:
+```ts
+const bucket = new Bucket(this, 'MyBlockedBucket', {
+ blockPublicAccess: new BlockPublicAccess({ blockPublicPolicy: true })
+});
+```
+
+When `blockPublicPolicy` is set to `true`, `grantPublicRead()` throws an error.
+
+[block public access settings]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts
@@ -293,6 +293,11 @@ export abstract class BucketBase extends cdk.Construct implements IBucket {
  */
  protected abstract autoCreatePolicy = false;
 
+ /**
+ * Whether to disallow public access
+ */
+ protected abstract disallowPublicAccess?: boolean;
+
  /**
  * Exports this bucket from the stack.
  */
@@ -514,6 +519,10 @@ export abstract class BucketBase extends cdk.Construct implements IBucket {
  * @returns The `iam.PolicyStatement` object, which can be used to apply e.g. conditions.
  */
  public grantPublicAccess(keyPrefix = '*', ...allowedActions: string[]): iam.PolicyStatement {
+ if (this.disallowPublicAccess) {
+ throw new Error("Cannot grant public access when 'blockPublicPolicy' is enabled");
+ }
+
  allowedActions = allowedActions.length > 0 ? allowedActions : [ 's3:GetObject' ];
 
  const statement = new iam.PolicyStatement()
@@ -555,6 +564,62 @@ export abstract class BucketBase extends cdk.Construct implements IBucket {
  }
 }
 
+export interface BlockPublicAccessOptions {
+ /**
+ * Whether to block public ACLs
+ *
+ * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options
+ */
+ blockPublicAcls?: boolean;
+
+ /**
+ * Whether to block public policy
+ *
+ * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options
+ */
+ blockPublicPolicy?: boolean;
+
+ /**
+ * Whether to ignore public ACLs
+ *
+ * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options
+ */
+ ignorePublicAcls?: boolean;
+
+ /**
+ * Whether to restrict public access
+ *
+ * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-options
+ */
+ restrictPublicBuckets?: boolean;
+}
+
+export class BlockPublicAccess {
+ public static readonly BlockAll = new BlockPublicAccess({
+ blockPublicAcls: true,
+ blockPublicPolicy: true,
+ ignorePublicAcls: true,
+ restrictPublicBuckets: true
+ });
+
+ public static readonly BlockAcls = new BlockPublicAccess({
+ blockPublicAcls: true,
+ ignorePublicAcls: true
+ });
+
+ public blockPublicAcls: boolean | undefined;
+ public blockPublicPolicy: boolean | undefined;
+ public ignorePublicAcls: boolean | undefined;
+ public restrictPublicBuckets: boolean | undefined;
+
+ constructor(options: BlockPublicAccessOptions) {
+ this.blockPublicAcls = options.blockPublicAcls;
+ this.blockPublicPolicy = options.blockPublicPolicy;
+ this.ignorePublicAcls = options.ignorePublicAcls;
+ this.restrictPublicBuckets = options.restrictPublicBuckets;
+ }
+}
+
 export interface BucketProps {
  /**
  * The kind of server-side encryption to apply to this bucket.
@@ -623,6 +688,13 @@ export interface BucketProps {
  * Similar to calling `bucket.grantPublicAccess()`
  */
  publicReadAccess?: boolean;
+
+ /**
+ * The block public access configuration of this bucket.
+ *
+ * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
+ */
+ blockPublicAccess?: BlockPublicAccess;
 }
 
 /**
@@ -652,6 +724,7 @@ export class Bucket extends BucketBase {
  public readonly encryptionKey?: kms.IEncryptionKey;
  public policy?: BucketPolicy;
  protected autoCreatePolicy = true;
+ protected disallowPublicAccess?: boolean;
  private readonly lifecycleRules: LifecycleRule[] = [];
  private readonly versioned?: boolean;
  private readonly notifications: BucketNotifications;
@@ -666,7 +739,8 @@ export class Bucket extends BucketBase {
  bucketEncryption,
  versioningConfiguration: props.versioned ? { status: 'Enabled' } : undefined,
  lifecycleConfiguration: new cdk.Token(() => this.parseLifecycleConfiguration()),
- websiteConfiguration: this.renderWebsiteConfiguration(props)
+ websiteConfiguration: this.renderWebsiteConfiguration(props),
+ publicAccessBlockConfiguration: props.blockPublicAccess
  });
 
  cdk.applyRemovalPolicy(resource, props.removalPolicy !== undefined ? props.removalPolicy : cdk.RemovalPolicy.Orphan);
@@ -678,6 +752,7 @@ export class Bucket extends BucketBase {
  this.domainName = resource.bucketDomainName;
  this.bucketWebsiteUrl = resource.bucketWebsiteUrl;
  this.dualstackDomainName = resource.bucketDualStackDomainName;
+ this.disallowPublicAccess = props.blockPublicAccess && props.blockPublicAccess.blockPublicPolicy;
 
  // Add all lifecycle rules
  (props.lifecycleRules || []).forEach(this.addLifecycleRule.bind(this));
@@ -1042,6 +1117,8 @@ class ImportedBucket extends BucketBase {
  public policy?: BucketPolicy;
  protected autoCreatePolicy: boolean;
 
+ protected disallowPublicAccess?: boolean;
+
  constructor(scope: cdk.Construct, id: string, private readonly props: BucketImportProps) {
  super(scope, id);
 
@@ -1059,6 +1136,7 @@ class ImportedBucket extends BucketBase {
  ? false
  : props.bucketWebsiteNewUrlFormat;
  this.policy = undefined;
+ this.disallowPublicAccess = false;
  }
 
  /**

diff --git a/packages/@aws-cdk/aws-s3/test/test.bucket.ts b/packages/@aws-cdk/aws-s3/test/test.bucket.ts
@@ -201,6 +201,76 @@ export = {
  test.done();
  },
 
+ 'bucket with block public access set to BlockAll'(test: Test) {
+ const stack = new cdk.Stack();
+ new s3.Bucket(stack, 'MyBucket', {
+ blockPublicAccess: s3.BlockPublicAccess.BlockAll,
+ });
+
+ expect(stack).toMatch({
+ "Resources": {
+ "MyBucketF68F3FF0": {
+ "Type": "AWS::S3::Bucket",
+ "Properties": {
+ "PublicAccessBlockConfiguration": {
+ "BlockPublicAcls": true,
+ "BlockPublicPolicy": true,
+ "IgnorePublicAcls": true,
+ "RestrictPublicBuckets": true,
+ }
+ },
+ "DeletionPolicy": "Retain",
+ }
+ }
+ });
+ test.done();
+ },
+
+ 'bucket with block public access set to BlockAcls'(test: Test) {
+ const stack = new cdk.Stack();
+ new s3.Bucket(stack, 'MyBucket', {
+ blockPublicAccess: s3.BlockPublicAccess.BlockAcls,
+ });
+
+ expect(stack).toMatch({
+ "Resources": {
+ "MyBucketF68F3FF0": {
+ "Type": "AWS::S3::Bucket",
+ "Properties": {
+ "PublicAccessBlockConfiguration": {
+ "BlockPublicAcls": true,
+ "IgnorePublicAcls": true,
+ }
+ },
+ "DeletionPolicy": "Retain",
+ }
+ }
+ });
+ test.done();
+ },
+
+ 'bucket with custom block public access setting'(test: Test) {
+ const stack = new cdk.Stack();
+ new s3.Bucket(stack, 'MyBucket', {
+ blockPublicAccess: new s3.BlockPublicAccess({ restrictPublicBuckets: true })
+ });
+
+ expect(stack).toMatch({
+ "Resources": {
+ "MyBucketF68F3FF0": {
+ "Type": "AWS::S3::Bucket",
+ "Properties": {
+ "PublicAccessBlockConfiguration": {
+ "RestrictPublicBuckets": true,
+ }
+ },
+ "DeletionPolicy": "Retain",
+ }
+ }
+ });
+ test.done();
+ },
+
  'permissions': {
 
  'addPermission creates a bucket policy'(test: Test) {
@@ -1175,6 +1245,19 @@ export = {
  "Version": "2012-10-17"
  }
  }));
+ test.done();
+ },
+
+ 'throws when blockPublicPolicy is set to true'(test: Test) {
+ // GIVEN
+ const stack = new cdk.Stack();
+ const bucket = new s3.Bucket(stack, 'MyBucket', {
+ blockPublicAccess: new s3.BlockPublicAccess({ blockPublicPolicy: true })
+ });
+
+ // THEN
+ test.throws(() => bucket.grantPublicAccess(), /blockPublicPolicy/);
+
  test.done();
  }
  },