List and Append all S3 Bucket Policy into 150+ AWS accountIDs (existing and future S3 buckets/accountIDs)


I’m a Platform Admin on AWS for my client and I now need to list all existing/future S3 Bucket Policy into AWS Organization then applying to them a new Security Policy. However, Security folks are already using other CSPM tool (based on Custodian open framework) to deploy with lambda specific controls on S3 buckets. I need to basically add, for each S3 buckets previously listed (list to update on a regular basis), an ad-hoc security policy on top of existing S3 bucket Policy already in place, if any and without altering it.

Also, account admin could modify his S3 Bucket Policy so we should automatically remediate by adding my S3 Bucket Policy to his Policy on a regular basis.

Any idea how should I do it? Wanted to try with Terraform or Python script/Lambda if not possible but I’m kind of struggling where to start first. I did look into this post (S3 Buckets Policies for multiple buckets using for-each) but it’s an old one not exactly answering my use-case (no bucket creation, listing instead and NOT altering existing S3 Bucket Policy - if any deployed)… thanks!

Note: I also looked at SCP level by detaching the default ‘FullAWSAccess’ SCP since I need to craft an ‘Allow’ SCP Condition logic (not working with ‘Deny’ to cover embedded logic as it will always render a ‘false’ so not Denying in specific conditions). However, it is NOT possible to add (at least currently) Conditions to an ‘Allow’ Statement for SCP.
Link: Strategies for using SCPs - AWS Organizations

That’s why I need to drop down to Resource-Based Policy now which is… troublesome for me since I’m pretty new into scripting. Would really appreciate any guidance, thank you!