Merge pull request #85 from kitware-resonant/acls

Disable S3 bucket ACLs
kitware-resonant · Nov 21, 2024 · b2ed6ce · b2ed6ce
2 parents 982004b + a8fd436
commit b2ed6ce
Showing 1 changed file with 24 additions and 11 deletions.
diff --git a/modules/storage/main.tf b/modules/storage/main.tf
@@ -2,9 +2,32 @@ resource "aws_s3_bucket" "storage" {
   bucket = var.bucket_name
 }
 
+resource "aws_s3_bucket_ownership_controls" "storage" {
+  bucket = aws_s3_bucket.storage.id
+  rule {
+    # Disable all ACLs, as they are discouraged for typical use cases
+    # https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
 resource "aws_s3_bucket_acl" "storage" {
   bucket = aws_s3_bucket.storage.id
-  acl    = "private"
+  # This is the default for new buckets, but any other value prevents "BucketOwnerEnforced"
+  # ownership controls
+  acl = "private"
+}
+
+resource "aws_s3_bucket_public_access_block" "storage" {
+  bucket = aws_s3_bucket.storage.id
+
+  block_public_policy = true
+  # restrict_public_buckets also blocks cross-account access to the bucket
+  restrict_public_buckets = true
+  # ACLs are already disabled via "aws_s3_bucket_ownership_controls", but many audit tools prefer
+  # these settings too
+  block_public_acls  = true
+  ignore_public_acls = true
 }
 
 resource "aws_s3_bucket_cors_configuration" "storage" {
@@ -125,13 +148,3 @@ data "aws_iam_policy_document" "storage_django" {
     ]
   }
 }
-
-resource "aws_s3_bucket_public_access_block" "storage" {
-  bucket = aws_s3_bucket.storage.id
-
-  block_public_acls   = true
-  block_public_policy = true
-  ignore_public_acls  = true
-  # restrict_public_buckets also blocks cross-account access to the bucket
-  restrict_public_buckets = true
-}