chore: apply all PublicAccessBlockConfiguration for all s3 buckets (#…

…5130)

Fixes #5089


By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

e2e/multi-pipeline/s3template.yml

@@ -22,6 +22,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
 
   e2epipelineaddonBucketPolicy:
     Metadata:

internal/pkg/addon/testdata/merge/env/second.yaml

@@ -76,6 +76,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
 
   MyBucketAccessPolicy:
     Type: AWS::IAM::ManagedPolicy

internal/pkg/addon/testdata/merge/env/wanted.yaml

@@ -106,6 +106,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
   MyBucketAccessPolicy:
     Type: AWS::IAM::ManagedPolicy
     Properties:

internal/pkg/addon/testdata/merge/second.yaml

@@ -79,6 +79,8 @@ Resources:
         PublicAccessBlockConfiguration:
           BlockPublicAcls: true
           BlockPublicPolicy: true
+          IgnorePublicAcls: true
+          RestrictPublicBuckets: true
 
     MyBucketAccessPolicy:
       Type: AWS::IAM::ManagedPolicy

internal/pkg/addon/testdata/merge/wanted.yaml

@@ -109,6 +109,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
   MyBucketAccessPolicy:
     Type: AWS::IAM::ManagedPolicy
     Properties:

internal/pkg/addon/testdata/storage/bucket.yml

@@ -22,6 +22,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced

internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml

@@ -720,6 +720,11 @@ Resources:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
               SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
   ELBAccessLogsBucketPolicy:
     Type: AWS::S3::BucketPolicy
     Condition: CreateALB

internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml

@@ -35,6 +35,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced

internal/pkg/template/templates/addons/s3/cf.yml

@@ -22,6 +22,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced

internal/pkg/template/templates/addons/s3/env/cf.yml

@@ -20,6 +20,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced

internal/pkg/template/templates/app/cf.yml

@@ -90,6 +90,11 @@ Resources:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
               SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced

internal/pkg/template/templates/environment/partials/elb-access-logs.yml

@@ -37,4 +37,9 @@ ELBAccessLogsBucket:
     BucketEncryption:
       ServerSideEncryptionConfiguration:
         - ServerSideEncryptionByDefault:
-            SSEAlgorithm: AES256 
+            SSEAlgorithm: AES256 
+    PublicAccessBlockConfiguration:
+      BlockPublicAcls: true
+      BlockPublicPolicy: true
+      IgnorePublicAcls: true
+      RestrictPublicBuckets: true

internal/pkg/template/templates/task/cf.yml

@@ -273,6 +273,11 @@ Resources:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
               SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       LifecycleConfiguration:
         Rules:
           # .env files are only needed on the initial RunTask call and are not needed after that.

internal/pkg/template/templates/workloads/services/static-site/cf.yml

@@ -47,6 +47,8 @@ Resources:
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
       OwnershipControls:
         Rules:
           - ObjectOwnership: BucketOwnerEnforced