in source/remediation_runbooks/scripts/SetSSLBucketPolicy.py [0:0]
def add_ssl_bucket_policy(event, context):
bucket_name = event['bucket']
account_id = event['accountid']
s3 = connect_to_s3()
bucket_policy = {}
try:
existing_policy = s3.get_bucket_policy(
Bucket=bucket_name,
ExpectedBucketOwner=account_id
)
bucket_policy = json.loads(existing_policy['Policy'])
except ClientError as ex:
exception_type = ex.response['Error']['Code']
# delivery channel already exists - return
if exception_type not in ["NoSuchBucketPolicy"]:
exit(f'ERROR: Boto3 s3 ClientError: {exception_type} - {str(ex)}')
except Exception as e:
exit(f'ERROR getting bucket policy for {bucket_name}: {str(e)}')
if not bucket_policy:
bucket_policy = new_policy()
print(f'Existing policy: {bucket_policy}')
bucket_policy['Statement'].append(policy_to_add(bucket_name))
try:
result = s3.put_bucket_policy(
Bucket=bucket_name,
Policy=json.dumps(bucket_policy, indent=4, default=str),
ExpectedBucketOwner=account_id
)
print(result)
except ClientError as ex:
exception_type = ex.response['Error']['Code']
exit(f'ERROR: Boto3 s3 ClientError: {exception_type} - {str(ex)}')
except Exception as e:
exit(f'ERROR putting bucket policy for {bucket_name}: {str(e)}')
print(f'New policy: {bucket_policy}')