Universally apply restriction to bucket policy, for all S3 buckets

amazon-web-services amazon-s3

Solution 1:

Use an AWS Service Control Policy, attached to your AWS Organisation OUs. The snippet below only enforces S3 encryption in transit, but you can also enforce:

  • S3 / EBS / RDS encryption at rest (probably other services too)
  • Allowed EC2 sizes / families
  • Creation of default VPCs
  • Disabling default EBS encryption
  • Deactivation of security services
  • Root user doing much (they shouldn't do anything, really)
  • Region enforcement
  • Whitelist services for the OU

I might not have the brackets quite right, I cut this out of a larger SCP, but any IDE like VSCode can help with that.

{
  "Version": "2012-10-17",
  "Statement": [{
        "Sid": "S3EncryptionInTransit",
        "Effect": "Deny",
        "Action": "s3:PutObject",
        "Resource": "*",
        "Condition": {
          "ForAllValues:StringNotEquals": {
            "s3:x-amz-server-side-encryption": ["AES256", "aws:kms"]
          }
        }
    }]
}

Related

Apache: Dynamic Reverse Proxy
gcloud SSH connection asks for password instead of passphrase
Allow domain group ssh access
convert centos dnf command into ansible
Nginx - Run website in subdirectory on different server
Configure external IP redirect inside the Nginx Ingress controller
Why can't Loopback Address be used as source address inside packet?
Hyper-v : Replicate VM Settings
CSRs generated from CloudHSM EC key fail verification
RAID 5 RECONSTRUCT with RAID Reconstructor
How do I manage last level cache among virtual machines?
How do I connect my FreeNAS File Server to my Mac OS X Directory Server?