Deny s3:ListBucket (pulumi#203)

* Deny s3:ListBucket * Update comment
mitchfriedman · Jan 8, 2019 · 71225e5 · 71225e5
1 parent 21a913e
commit 71225e5
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/aws-ts-static-website/index.ts b/aws-ts-static-website/index.ts
@@ -31,6 +31,25 @@ const contentBucket = new aws.s3.Bucket("contentBucket",
  }
  });
 
+// contentBucket needs to have the "public-read" ACL so its contents can be ready by CloudFront and
+// served. But we deny the s3:ListBucket permission to prevent unintended disclosure of the bucket's
+// contents. If you know the Bucket object path, it is still available for anonymous access however.
+const denyListPolicyState: aws.s3.BucketPolicyArgs = {
+ bucket: contentBucket.bucket,
+ policy: contentBucket.arn.apply(arn => JSON.stringify({
+ Version: "2008-10-17",
+ Statement: [
+ {
+ Effect: "Deny",
+ Principal: "*",
+ Action: "s3:ListBucket",
+ Resource: arn,
+ },
+ ],
+ })),
+};
+const denyListPolicy = new aws.s3.BucketPolicy("deny-list", denyListPolicyState);
+
 // crawlDirectory recursive crawls the provided directory, applying the provided function
 // to every file it contains. Doesn't handle cycles from symlinks.
 function crawlDirectory(dir: string, f: (_: string) => void) {