This SCP prevents local admins from disabling four critical Block Public Access settings for:
- Specific S3 Buckets
- All S3 buckets in an account
- EC2 Amazon Machine Images
- EC2 EBS Snapshots
This Policy has exclusions for the AWS Organization Management Account role and the Central Cloud Administrator role.
The OrganizationAccountAccessRole
can make these changes and works with the pht-account-configurator StepFunction that configures new accounts.
This SCP should be applied to the Root OU.
Warning:
By default, new AWS buckets are created with PublicAccessBlock enabled. However, if legacy IAC tools are also attempting to set the bucket-level PublicAccessBlock, the IAC will fail due to the presense of s3:PutBucketPublicAccessBlock
in this policy. IAM is not smart enough to distinguish between enabling PublicAccessBlock and disabling it. Best practice is to enable PublicAccessBlock at the AWS Account Level.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventDisableBlockPublicAccess",
"Effect": "Deny",
"Action": [
"s3:PutBucketPublicAccessBlock",
"s3:PutAccountPublicAccessBlock",
"ec2:DisableImageBlockPublicAccess",
"ec2:DisableSnapshotBlockPublicAccess"
],
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE",
"arn:aws:iam::*:role/OrganizationAccountAccessRole"
]
}
}
}
]
}