From e18d6d4e8d7e4e3705aa3873d55a0fe1a0033969 Mon Sep 17 00:00:00 2001
From: John Ferlito <johnf@inodes.org>
Date: Sat, 28 Oct 2023 15:12:32 +1100
Subject: [PATCH] Enforce defaults preventing public S3 ACLs

---
 cdk/lib/main-stack.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cdk/lib/main-stack.ts b/cdk/lib/main-stack.ts
index 7acade33..47e31637 100644
--- a/cdk/lib/main-stack.ts
+++ b/cdk/lib/main-stack.ts
@@ -67,6 +67,7 @@ export class MainStack extends cdk.Stack {
     const metaBucket = new s3.Bucket(this, 'MetaBucket', {
       bucketName: `${appName}-meta-${env}`,
       encryption: s3.BucketEncryption.S3_MANAGED,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
       enforceSSL: true,
       removalPolicy: cdk.RemovalPolicy.RETAIN,
     });
@@ -78,6 +79,7 @@ export class MainStack extends cdk.Stack {
     this.catalogBucket = new s3.Bucket(this, 'CatalogBucket', {
       bucketName: `${appName}-catalog-${env}`,
       encryption: s3.BucketEncryption.S3_MANAGED,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
       enforceSSL: true,
       // TODO: Do we want tiering?
       // intelligentTieringConfigurations: [ ],