Set public access block for buckets with public files (#15)

Following https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/, this is no longer the default behaviour in the API. We now need to explicitly allow access in order for files to be public.
torchbox · Mar 29, 2023 · bedc741 · bedc741
1 parent e2e9f1b
commit bedc741
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/buckup/bucket_creator.py b/buckup/bucket_creator.py
@@ -20,6 +20,7 @@ def __init__(self, profile_name=None, region_name=None):
         self.session = boto3.session.Session(profile_name=profile_name,
                                              region_name=region_name)
         self.s3 = self.session.resource('s3')
+        self.s3_client = self.session.client('s3')
         self.iam = self.session.resource('iam')
 
     def commit(self, data):
@@ -95,7 +96,9 @@ def get_bucket_policy_statements_for_user_access(self, bucket, user):
 
     def set_bucket_policy(self, bucket, user, public_get_object_paths=None):
         policy_statement = []
-        if public_get_object_paths:
+        public_access = bool(public_get_object_paths)
+
+        if public_access:
             policy_statement.append(
                 self.get_bucket_policy_statement_for_get_object(
                     bucket, public_get_object_paths
@@ -122,6 +125,20 @@ def set_bucket_policy(self, bucket, user, public_get_object_paths=None):
                 break
         print('Bucket policy set.')
 
+        if public_access:
+            # NB: This API doesn't exist on a `Bucket`
+            self.s3_client.put_public_access_block(
+                Bucket=bucket.name,
+                # Allow policies to provide access to objects, but not ACLs
+                PublicAccessBlockConfiguration={
+                    "BlockPublicAcls": True,
+                    "IgnorePublicAcls": True,
+                    "BlockPublicPolicy": False,
+                    "RestrictPublicBuckets": False
+                }
+            )
+            print('Enabled public access to the bucket.')
+
     def create_bucket(self, name, region):
         """
         Create bucket of name in the given region.