Merge pull request #278 from NHSDigital/feature/eja-eli-386-block-public-access-to-s3-at-account-level

eli-386 blocking s3 public access at account level

Author: eddalmond1

infrastructure/stacks/api-layer/s3_buckets.tf

@@ -16,3 +16,8 @@ module "s3_audit_bucket" {
   stack_name             = local.stack_name
   workspace              = terraform.workspace
 }
+
+resource "aws_s3_account_public_access_block" "block_public_access" {
+  block_public_acls   = true
+  block_public_policy = true
+}

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -164,6 +164,14 @@ resource "aws_iam_policy" "s3_management" {
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs/*",
         ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:GetAccountPublicAccessBlock",
+          "s3:PutAccountPublicAccessBlock"
+        ],
+        Resource = "*"
       }
     ]
   })