20200629 - Public S3 buckets

Background

Regulation on creation public S3 buckets on Traveloka.

Goals

Clear SOP on proceed public S3 buckets creation in Traveloka
Where the public S3 buckets put on.

Meeting's Actionable Items

Do a proper cost analysis between S3 only & S3 + CloudFront
Create a global rollout of IAM Role for Security team to modify account-level Block Public Access (BPA) settings
Prepare rollout SCP to deny modification of account-level BPA settings
Create a new naming convention for public bucket once we decided to continue allowing them created ones (e.g. remove account ID from the name).

Current possible options (not decided yet)

Centralize public bucket to dedicated account

If yes, do we need account per environment (e.g. prod, stg, testing)?
Bucket management will be done by each product team using PDA role.
Product team able to create bucket after review and approval from InfoSec.

Public bucket creation in each Product account

Product team need review and approval from InfoSec.
Product team need InfoSec to unlock BPA and make bucket public
Public buckets must have special tag to avoid triggering security findings

Insist that there should be no public buckets at all, use CloudFront to distribute public objects

Confluence's meeting notes:
https://29022131.atlassian.net/wiki/spaces/SI/pages/1416049725/2020-06-29+Public+S3+buckets