Task/s3nopublic (#518)

**Which issue is resolved by this Pull Request:** Resolves # **Description of your changes:** Configure "block public access" by default for the S3 artifact bucket, when deployed both via terraform and manifests. **Testing:** - [x ] Unit tests pass - [x ] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed Deployed using both methods and verified things worked as expected. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
awslabs · Dec 21, 2022 · 100eda7 · 100eda7
1 parent 3f31898
commit 100eda7
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/iaac/terraform/aws-infra/s3/main.tf b/iaac/terraform/aws-infra/s3/main.tf
@@ -27,4 +27,13 @@ resource "aws_secretsmanager_secret_version" "s3_secret_version" {
     accesskey = var.minio_aws_access_key_id
     secretkey = var.minio_aws_secret_access_key
   })
+}
+
+resource "aws_s3_bucket_public_access_block" "artifact_store_block_access" {
+  bucket = aws_s3_bucket.artifact_store.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
 }
diff --git a/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py b/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py
@@ -124,6 +124,15 @@ def create_s3_bucket(s3_client):
         args["CreateBucketConfiguration"] = {"LocationConstraint": CLUSTER_REGION}
 
     s3_client.create_bucket(**args)
+    s3_client.put_public_access_block(
+        Bucket=S3_BUCKET_NAME,
+        PublicAccessBlockConfiguration={
+            'BlockPublicAcls': True,
+            'IgnorePublicAcls': True,
+            'BlockPublicPolicy': True,
+            'RestrictPublicBuckets': True
+        }
+    )
     print("S3 bucket created!")
 
     s3_client.put_bucket_encryption(

diff --git a/website/content/en/docs/about/security.md b/website/content/en/docs/about/security.md
@@ -10,6 +10,12 @@ We highly recommend that you follow AWS security best practices while provisioni
 
 ### Amazon Simple Storage Service (S3)
 
+#### Block public access
+
+The Amazon S3 bucket created for Kubeflow artifacts has a default ["block public access" configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html). 
+
+#### Encryption
+
 When you use Amazon S3 for kubeflow artifact storage, Kubeflow on AWS configures the Amazon S3 bucket to use [server-side encryption with Amazon S3-managed encryption keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) (SSE-S3). If you prefer to use [server-side encryption with AWS Key Management Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) (SSE-KMS), you can modify these files to specify an AWS KMS key.
 
 * [main.tf](https://github.com/awslabs/kubeflow-manifests/blob/main/iaac/terraform/aws-infra/s3/main.tf) for Terraform deployments