Enforce defaults preventing public S3 ACLs

paradisec-archive · Oct 28, 2023 · e18d6d4 · e18d6d4
1 parent 80223f0
commit e18d6d4
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/cdk/lib/main-stack.ts b/cdk/lib/main-stack.ts
@@ -67,6 +67,7 @@ export class MainStack extends cdk.Stack {
     const metaBucket = new s3.Bucket(this, 'MetaBucket', {
       bucketName: `${appName}-meta-${env}`,
       encryption: s3.BucketEncryption.S3_MANAGED,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
       enforceSSL: true,
       removalPolicy: cdk.RemovalPolicy.RETAIN,
     });
@@ -78,6 +79,7 @@ export class MainStack extends cdk.Stack {
     this.catalogBucket = new s3.Bucket(this, 'CatalogBucket', {
       bucketName: `${appName}-catalog-${env}`,
       encryption: s3.BucketEncryption.S3_MANAGED,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
       enforceSSL: true,
       // TODO: Do we want tiering?
       // intelligentTieringConfigurations: [ ],