-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathbucket-github-templates.yml
167 lines (146 loc) · 4.35 KB
/
bucket-github-templates.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
---
AWSTemplateFormatVersion: "2010-09-09"
Description: Bucket - Automation - Uploads from Github Workflows for CICD
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Bucket Configuration
Parameters:
- BucketName
- Label:
default: Bucket Permissions
Parameters:
- OrganizationID
- AccountID
- PublicAccess
ParameterLabels:
BucketName:
default: CICD Bucket Name
OrganizationID:
default: Organization ID
AccountID:
default: Account ID
PublicAccess:
default: Allow Public Access
Parameters:
BucketName:
Type: String
Description: Name of bucket
OrganizationID:
Type: String
Description: 'Provide AWS Organizations identifier (e.x. o-##########) if applicable.
Only required if denying public access.'
Default: o-xxxxxxxxx
AccountID:
Type: String
Description: 'Provide single account identifier (e.x. 012345678901) for account access.
Only required if denying public access.'
Default: xxxxxxxxxxxx
PublicAccess:
Type: String
Description: 'WARNING: This will override values for Organization ID and Account ID'
Default: 'False'
AllowedValues:
- 'True'
- 'False'
Conditions:
restrictedAccess: !Equals [!Ref PublicAccess, 'False']
publicAccess: !Equals [!Ref PublicAccess, 'True']
Resources:
Bucket:
Type: "AWS::S3::Bucket"
Properties:
#checkov:skip=CKV_AWS_21:Versioning is maintained by Git source control
#checkov:skip=CKV_AWS_18:Ensure the S3 bucket has access logging enabled
#checkov:skip=CKV_AWS_54:Ensure S3 bucket has block public policy enabled
#checkov:skip=CKV_AWS_56:Ensure S3 bucket has 'restrict_public_bucket' enabled
BucketName: !Ref BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
VersioningConfiguration:
Status: Suspended
PublicAccessBlockConfiguration:
BlockPublicAcls: true
#BlockPublicPolicy: true
IgnorePublicAcls: true
#RestrictPublicBuckets: true
Tags:
- Key: Name
Value: !Ref BucketName
- Key: Type
Value: CICD
- Key: Public
Value: !Ref PublicAccess
DeletionPolicy: Retain
BucketPolicyRestricted:
Condition: restrictedAccess
Type: 'AWS::S3::BucketPolicy'
Metadata:
cfn_nag:
rules_to_suppress:
- id: F16
reason: "Public bucket requires * Get-Object"
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Id: RestrictToOrganization
Version: 2012-10-17
Statement:
- Sid: AllowReadAccess
Effect: Allow
Principal: "*"
Action:
- "s3:GetObject"
Resource: !Sub 'arn:aws:s3:::${Bucket}/*'
- Sid: DenyOutsideOrganization
Effect: Deny
Principal:
AWS: "*"
Action:
- "s3:GetObject"
Resource: !Sub 'arn:aws:s3:::${Bucket}/*'
Condition:
StringNotEquals:
aws:PrincipalOrgID: !Ref OrganizationID
aws:SourceAccount: !Ref AccountID
DependsOn: Bucket
BucketPolicyPublic:
Condition: publicAccess
Type: 'AWS::S3::BucketPolicy'
Metadata:
cfn_nag:
rules_to_suppress:
- id: F16
reason: "Public bucket requires Get-Object for all"
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Id: PublicAccess
Version: 2012-10-17
Statement:
- Sid: AllowReadAccess
Effect: Allow
Principal: "*"
Action:
- "s3:GetObject"
Resource: !Sub 'arn:aws:s3:::${Bucket}/*'
DependsOn: Bucket
Outputs:
BucketURL:
Value: !GetAtt [Bucket, WebsiteURL]
Description: Bucket URL for objects hosted on S3
SecureURL:
Value: !Join ["", ["https://", !GetAtt [Bucket, DomainName]]]
Description: Name of S3 bucket to hold objects
DomainName:
Value: !GetAtt [Bucket, DomainName]
Description: Domain name of resource bucket
BucketArn:
Value: !GetAtt [Bucket, Arn]
Description: Arn of resource bucket