{"id":24013765,"url":"https://github.com/rupertbg/yes3","last_synced_at":"2025-07-29T12:14:55.127Z","repository":{"id":53533096,"uuid":"193467278","full_name":"rupertbg/YES3","owner":"rupertbg","description":"Whitelist intentionally-public buckets, block everything else","archived":false,"fork":false,"pushed_at":"2021-03-25T22:43:34.000Z","size":7,"stargazers_count":9,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-07-04T19:46:20.151Z","etag":null,"topics":["aws","continuous-control","continuous-deployment","devsecops","s3","s3-buckets"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rupertbg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-06-24T08:40:16.000Z","updated_at":"2020-01-06T00:01:43.000Z","dependencies_parsed_at":"2022-08-20T13:20:46.040Z","dependency_job_id":null,"html_url":"https://github.com/rupertbg/YES3","commit_stats":null,"previous_names":[],"tags_count":0,"template":true,"template_full_name":null,"purl":"pkg:github/rupertbg/YES3","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupertbg%2FYES3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupertbg%2FYES3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupertbg%2FYES3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupertbg%2FYES3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rupertbg","download_url":"https://codeload.github.com/rupertbg/YES3/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupertbg%2FYES3/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267685371,"owners_count":24127706,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-29T02:00:12.549Z","response_time":2574,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","continuous-control","continuous-deployment","devsecops","s3","s3-buckets"],"created_at":"2025-01-08T06:57:15.212Z","updated_at":"2025-07-29T12:14:55.095Z","avatar_url":"https://github.com/rupertbg.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# YES3 - Flexible S3 Public Access Control Automation\nDo you have _intentionally public_ S3 Buckets? Do these change over time? This Lambda function will continuously update S3 Public Access settings to comply to a policy given to it via this repo.\n\nConstraining other IAM Users and Roles from accessing these settings will mean greatly reduced risk of misconfiguration of buckets, whilst retaining the ability to have public buckets where it makes sense.\n\n## Deployment\nIncluded is a CodePipeline defined in CloudFormation. This bundles up the Lambda and it's dependancies via CodeBuild, and uploads the resulting zip to S3 where it is then referenced in a CloudFormation deployment step for the Lambda itself. The pipeline updates itself based on the `pipeline.yml` included in the repo.\n\n### First time setup:\n1. Make a Secret in Secrets Manager called 'Github' and place two values in it:\n    - PersonalAccessToken: A Personal Access Token from Github\n    - WebhookSecret: A random string for adding access control to the CodePipeline webhook\n2. Deploy the `pipeline.yml` via CloudFormation\n3. For automatic pipeline execution on push events, configure the Webhook URL that is exported from the resulting stack in your Github repo's Webhook settings.\n\n## Policy Definition\nThe `policy.yml` file located in `src` is parsed by the Lambda Function. If you omit the `PublicAccess.Configuration` objects, they will default to Allow being fully open and Block being fully closed. Setting `PublicAccess.Block` to true and omiting the list of buckets will set `PublicAccess.Configuration.Block` on all buckets.\n```yaml\nPublicAccess: # This object governs S3 Public Access Blocks (https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/)\n  Block: true # Setting this to true will enable active blocking of non-whitelisted buckets\n  Configuration: # These four setting map directly to the parameters available for PutPublicAccessBlock.\n    Allow: # These are the settings enforced when a bucket appears in the whitelist below.\n      BlockPublicAcls: true\n      IgnorePublicAcls: true\n      BlockPublicPolicy: false\n      RestrictPublicBuckets: false\n    Block: # These are the settings enforced when a bucket doesn't appear in the whitelist below.\n      BlockPublicAcls: true\n      IgnorePublicAcls: true\n      BlockPublicPolicy: true\n      RestrictPublicBuckets: true\n  Buckets: # Bucket names in this list will be allowed to be public based on the configuration set above. All other buckets will have all configurations above set to False, blocking all public access.\n    - testing-bucket-123456\n```\n\n### Examples\nBlock all public configurations\n```yaml\nPublicAccess:\n  Block: true\n```\n\nEnsure public configurations are allowed on test-bucket-123456\n```yaml\nPublicAccess:\n  Buckets:\n    - test-bucket-123456\n```\n\n_Only_ allow public configurations on test-bucket-123456\n```yaml\nPublicAccess:\n  Block: true\n  Buckets:\n    - test-bucket-123456\n```\n\nBlock all buckets with a custom ruleset. This one allows public policy but not ACLs\n```yaml\nPublicAccess:\n  Block: true\n  Configuration:\n    Block:\n      BlockPublicAcls: true\n      IgnorePublicAcls: true\n      BlockPublicPolicy: false\n      RestrictPublicBuckets: false\n```\n\n## Files\n```\n| README.md\n| lambda.yml - Lambda deployment written in CloudFormation\n| pipeline.yml - CodePipeline definition written in CloudFormation\n| src\n| | requirements.txt - Pip requirements file\n| | index.py - Lambda handler\n| | policy.yml - Policy file for defining public buckets and settings\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frupertbg%2Fyes3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frupertbg%2Fyes3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frupertbg%2Fyes3/lists"}