fiddling with bucket access permissions

TechNative-B-V · Apr 12, 2024 · 04b41b1 · 04b41b1
1 parent fe0abe5
commit 04b41b1
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/alarms_s3.tf b/alarms_s3.tf
@@ -12,15 +12,28 @@ resource "aws_s3_bucket_policy" "alarm_bucket_policy" {
     ]
 }
 
+resource "aws_s3_bucket_acl" "bucket_access" {
+    bucket = aws_s3_bucket.alarm_bucket.id
+    acl = "private"
+    depends_on = [aws_s3_bucket_ownership_controls.this]
+}
+
 data "aws_iam_policy_document" "alarm_bucket_policy_doc" {
     statement {
         principals {
           type = "AWS"
           identifiers = ["*"]
         }
-        actions = ["s3:GetObject","s3:PutBucketPolicy"]
+        actions = ["s3:GetObject"]
+        resources = [aws_s3_bucket.alarm_bucket.arn, "${aws_s3_bucket.alarm_bucket.arn}/*",]
+    }
+    statement {
+        principals {
+            type        = "AWS"
+            identifiers = [data.aws_caller_identity.current.account_id]
+        }
+        actions = ["s3:PutBucketPolicy"]
         resources = [aws_s3_bucket.alarm_bucket.arn, "${aws_s3_bucket.alarm_bucket.arn}/*",]
-
     }
 }
 
@@ -36,7 +49,7 @@ resource "aws_s3_bucket_public_access_block" "this" {
     bucket = aws_s3_bucket.alarm_bucket.id
 
     block_public_acls       = true
-    block_public_policy     = true
+    block_public_policy     = false
     ignore_public_acls      = true
     restrict_public_buckets = true
 }