Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

copilot pipeline init creates publicly accessible s3 buckets #5089

Closed
gabelton opened this issue Jul 17, 2023 · 3 comments · Fixed by #5130
Closed

copilot pipeline init creates publicly accessible s3 buckets #5089

gabelton opened this issue Jul 17, 2023 · 3 comments · Fixed by #5130
Labels
area/permissions Issues about IAM permissions type/request Issues that are created by customers.

Comments

@gabelton
Copy link

We've noticed that buckets created by running copilot pipeline init (e.g. codepipeline, cloudtrail) are getting flagged by Trusted Advisor / Security Hub as missing some of the expected public access blocks. Is this by design or should it be considered a bug?

Screenshot 2023-07-14 at 16 04 44
@bvtujo
Copy link
Contributor

bvtujo commented Jul 17, 2023

None of the artifacts that Copilot uploads have public access turned on; we don't configure default public access blocks but I think this is something we should consider. Thanks for bringing this to our attention!

@bvtujo bvtujo added type/request Issues that are created by customers. area/permissions Issues about IAM permissions labels Jul 17, 2023
@iamhopaul123
Copy link
Contributor

Hello @gabelton. The request totally makes sense to me. As a temporary workaround in the meanwhile, could you set block public access at the account level?

@iamhopaul123 iamhopaul123 mentioned this issue Jul 25, 2023
Merged
@mergify mergify bot closed this as completed in #5130 Jul 26, 2023
mergify bot pushed a commit that referenced this issue Jul 26, 2023
@iamhopaul123
chore: apply all PublicAccessBlockConfiguration for all s3 buckets (#…
ac4ded0 
…5130)

Fixes #5089


By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
@dannyrandall
Copy link
Contributor

Hey @gabelton! This fix has been released in v1.29.1!🚀🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/permissions Issues about IAM permissions type/request Issues that are created by customers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: apply all PublicAccessBlockConfiguration for all s3 buckets iamhopaul123/amazon-ecs-cli-v2
4 participants
@dannyrandall @bvtujo @gabelton @iamhopaul123