You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
81 lines
2.6 KiB
Bash
81 lines
2.6 KiB
Bash
2 years ago
|
#!/usr/bin/env bash
|
||
|
# vim:ts=4:sts=4:sw=4:et
|
||
|
#
|
||
|
# Author: Hari Sekhon
|
||
|
# Date: 2022-05-31 10:25:27 +0100 (Tue, 31 May 2022)
|
||
|
#
|
||
|
# https://github.com/HariSekhon/DevOps-Bash-tools
|
||
|
#
|
||
|
# License: see accompanying Hari Sekhon LICENSE file
|
||
|
#
|
||
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
||
|
#
|
||
|
# https://www.linkedin.com/in/HariSekhon
|
||
|
#
|
||
|
|
||
|
set -euo pipefail
|
||
|
[ -n "${DEBUG:-}" ] && set -x
|
||
|
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||
|
|
||
|
# shellcheck disable=SC1090
|
||
|
. "$srcdir/lib/aws.sh"
|
||
|
|
||
|
# shellcheck disable=SC2034,SC2154
|
||
|
usage_description="
|
||
|
Checks S3 public access is blocked at the AWS Account level
|
||
|
|
||
|
First arg must be the AWS Account ID. If not given and \$AWS_ACCOUNT_ID is set, will use that, otherwise will infer from the current access key
|
||
|
|
||
|
Raw JSON is output to stdout
|
||
|
OK/WARNING Status is output to stderr
|
||
|
Exits with error code 1 if S3 public access is set and exit code 2 if not fully blocked via policy at the account level
|
||
|
|
||
|
|
||
|
$usage_aws_cli_required
|
||
|
"
|
||
|
|
||
|
# used by usage() in lib/utils.sh
|
||
|
# shellcheck disable=SC2034
|
||
|
usage_args="<aws_account_id>"
|
||
|
|
||
|
help_usage "$@"
|
||
|
|
||
|
max_args 1
|
||
|
|
||
|
aws_account_id="${1:-}"
|
||
|
shift || :
|
||
|
|
||
|
if [ -z "$aws_account_id" ]; then
|
||
|
if [ -n "${AWS_ACCOUNT_ID:-}" ]; then
|
||
|
aws_account_id="$AWS_ACCOUNT_ID"
|
||
|
else
|
||
|
timestamp "inferring AWS account id from access key"
|
||
|
aws_account_id="$(aws_account_id)"
|
||
|
timestamp "inferred AWS account id to be '$aws_account_id'"
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
export AWS_DEFAULT_OUTPUT=json
|
||
|
|
||
|
shopt -s nocasematch
|
||
|
|
||
|
output="$(aws s3control get-public-access-block --account-id "$aws_account_id" || :)"
|
||
|
if [ -n "$output" ]; then
|
||
|
echo "$output"
|
||
|
# XXX: must align with read command a few lines down
|
||
|
policy="$(jq -r '.PublicAccessBlockConfiguration | [ .BlockPublicAcls, .IgnorePublicAcls, .BlockPublicPolicy, .RestrictPublicBuckets ] | @tsv' <<< "$output")"
|
||
|
read -r BlockPublicAcls IgnorePublicAcls BlockPublicPolicy RestrictPublicBuckets <<< "$policy"
|
||
|
if [[ "$BlockPublicAcls" =~ false ]] ||
|
||
|
[[ "$IgnorePublicAcls" =~ false ]] ||
|
||
|
[[ "$BlockPublicPolicy" =~ false ]] ||
|
||
|
[[ "$RestrictPublicBuckets" =~ false ]]; then
|
||
|
echo "WARNING: Block Public Access policy is not enabled at the account level for AWS Account '$aws_account_id'! " >&2
|
||
|
exit 2
|
||
|
else
|
||
|
echo "OK: Block Public Access policy is enabled at the account level for AWS Account '$aws_account_id'" >&2
|
||
|
fi
|
||
|
else
|
||
|
echo "WARNING: Block Public Access policy is not set at the account level for AWS Account '$aws_account_id'! " >&2
|
||
|
exit 1
|
||
|
fi
|