Exemplo n.º 1
0
def s3_require_tls(bucket_name):
    '''
    This enforces encryption of data in transit for any calls.
    '''

    s3_client = create_s3_client()

    # Policy that enforces the use of TLS/SSL for all actions.
    bucket_policy = {
        'Version':
        '2012-10-17',
        'Id':
        'Policy1565726245376',
        'Statement': [{
            'Sid': 'Stmt1565726242462',
            'Effect': 'Deny',
            'Principal': '*',
            'Action': '*',
            'Resource': 'arn:aws:s3:::{}/*'.format(bucket_name),
            'Condition': {
                'Bool': {
                    'aws:SecureTransport': 'false'
                }
            }
        }]
    }

    s3_client.put_bucket_policy(Bucket=bucket_name,
                                Policy=json.dumps(bucket_policy))
Exemplo n.º 2
0
def s3_create_bucket(bucket_name):
    kwargs = {}
    # If region is us-east-1, then we cannot send this argument, or else the create_bucket command will fail
    if GLOBAL_CONFIGURATION["AWS_REGION"] != 'us-east-1':
        kwargs = {
            'CreateBucketConfiguration': {
                'LocationConstraint': GLOBAL_CONFIGURATION["AWS_REGION"]
            }
        }
    s3_client = create_s3_client()
    s3_client.create_bucket(ACL='private', Bucket=bucket_name, **kwargs)
Exemplo n.º 3
0
def block_public_access(bucket_name):
    '''
    Block all public access to the S3 bucket containing sensitive data.
    '''
    s3_client = create_s3_client()

    s3_client.put_public_access_block(Bucket=bucket_name,
                                      PublicAccessBlockConfiguration={
                                          'RestrictPublicBuckets': True,
                                          'BlockPublicAcls': True,
                                          'IgnorePublicAcls': True,
                                          'BlockPublicPolicy': True
                                      })
Exemplo n.º 4
0
def s3_encrypt_bucket(bucket_name):
    '''
    Set the policy for the given bucket to enable encryption of data at rest.
    '''
    s3_client = create_s3_client()

    # Add default encryption of data.
    s3_client.put_bucket_encryption(
        Bucket=bucket_name,
        ServerSideEncryptionConfiguration={
            'Rules': [
                {
                    'ApplyServerSideEncryptionByDefault': {
                        'SSEAlgorithm': 'aws:kms',
                    }
                },
            ]
        })