Building on this post, below are some examples of how to traverse your entire S3 inventory and:
- Apply bucket policies that prevent
- Users from uploading content that's publicly available
- Prevent users from making existing content public
- Remove any public or semi-public access to your objects stored in S3
Get the code here. Converting these scripts to Ansible isn't an incredibly straightforward exercise, because you have to customize each and every policy document to contain the name of the bucket. I'd recommend simply running these shell commands idempotently from Ansible, and then either using cron or AWS System Manager to schedule it. One can also pair this with AWS Config to set up a compliance alert so if something DOES get past the script, you'll know about it.