How restrict public access to S3 Bucket in AWS SAM Template

Question

I am currently trying to define an s3 bucket for a cloud formation deployment using the SAM template. Following the documentation I thought I was setting the PublicAccessBlockConfiguration correctly:

(yaml)
    S3Bucket1:
        Type: AWS::S3::Bucket
        Properties:
          BucketName: abl-ar-report-container 
          BucketEncryption: 
            ServerSideEncryptionConfiguration: 
            - ServerSideEncryptionByDefault:
                SSEAlgorithm: AES256
          PublicAccessBlockConfiguration:
            BlockPublicAcls : true
            BlockPublicPolicy : true
            IgnorePublicAcls : true
            RestrictPublicBuckets : true

however when I deploy I get the following message:

Resource with id [S3Bucket1] is invalid. property PublicAccessBlockConfiguration not defined for resource of type AWS::S3::Bucket

I did see some references to template variations on git I am declaring the AWS template as:

AWSTemplateFormatVersion: 2010-09-09
Description: A template for a Node.js-based application 

Transform: AWS::Serverless-2016-10-31

After further digging I think I am mixing CF template syntax with SAM syntax. Can anyone point me to the correct documentation or syntax for these settings?

Answer 1

I dug into this a bit and it is currently a bug in SAM. Here is the GitHub issue. There is a patch that has been merged and it should be fixed in v1.10.0.

The root of the problem is that the s3 model in SAM has a hard-coded list of properties, and PublicAccessBlockConfiguration is relatively new and had not been added yet.

I hope this helps.

Answer 2

I would suggest to create s3bucket with default settings . S3 by default is blocked for public access. And simply associate IAM role/policy to reads3 objects for CFN depoloyment