Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning.

Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions).

S3 Access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations. This template also includes the option to configure permissions and network controls that apply to any request made through the access point.

Configure Access Analyzer to discover which resources in an AWS account are shared with external principals outside of the account. Access Analyzer analyzes generates findings for supported resources in the region it was enabled, with the exception of IAM resources which generates findings in each region (as IAM is a global service).

This template creates an advanced S3 StorageLens configuration that enables advanced metrics, Amazon CloudWatch publishing, and prefix aggregation. It includes an exclusion for two S3 buckets `source_bucket_1` and `source_bucket_2`. Finally it configures a metrics export to S3 bucket `destination_bucket` and adds tags.

This template creates an Amazon S3 bucket that Allows GET Requests From Specific Referers. The bucket policy is attached to the specified bucket and allows GET requests that originate from www.example.com and example.net. The policy allows the `s3:GetObject` action on all objects in the bucket. The principal is set to `*` to allow any AWS identity to perform the action. The condition is set to check the `aws:Referer` header and only allow requests with referers matching the specified URLs.

This template specifies analytics and inventory configurations for an S3 bucket. The analytics configuration generates CSV-formatted results and stores them in the `Helper` bucket. The inventory configuration generates CSV-formatted reports weekly.

This template creates an S3 bucket with a notification configuration that sends an event to the specified SNS topic when S3 has lost all replicas of an object (event: s3:ReducedRedundancyLostObject).

This template creates two S3 buckets. The `LoggingBucket` bucket stores the logs from the `S3Bucket` bucket. The `S3Bucket` bucket has a logging configuration that sends logs to the `LoggingBucket` bucket.

This template creates an S3 bucket with a lifecycle configuration rule that transitions objects with the `glacier` key prefix to Glacier after one day and deletes them after one year.

This template creates a public S3 bucket with two cross-origin resource sharing rules.

This template configures an S3 bucket as a static website with a routing rule that redirects requests to an EC2 instance when an HTTP 404 error occurs.

This template creates an S3 bucket with S3 Object Ownership set to `BucketOwnerPreferred` and access policy `AwsExecRead`

This template creates a new bucket called `my-bucket` and then disables Block Public Access settings. A public bucket policy is then added to the bucket.

This template creates an S3 bucket and grants it permission to write to a replication bucket (example-destination-bucket) by using an IAM role. The bucket depends on the `ReplicationIamRole` role.

This template creates an S3 bucket with both object versioning and block public access settings enabled

This template creates an Amazon S3 access point and an S3 bucket. The access point allows user JaneDoe to make GetObject and PutObject operations only for bucket objects prefixed with /janedoe.

This template creates an Amazon S3 access point restricted to a virtual private cloud (VPC). The access point is configured with a VPC ID and public access block configuration to restrict public access to the bucket.

A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups

Configuration to enable AWS CloudTrail in an AWS account for logging S3 Data Events. Data Events for Amazon S3 record object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations)

This template creates an S3 on Outposts access point with an access point policy. It also creates an S3 on Outposts bucket and associates the access point with the bucket. The access point is configured with a VPC and a policy that allows access to the specified AWS account.

This template creates an S3 Outposts bucket with specified properties and tags. It also outputs the ARN of the bucket and the stack Id.

This template creates an S3 on Outposts bucket with tags and lifecycle configuration.

This template creates an Amazon S3 on Outposts bucket and adds a bucket policy to that bucket.

This template creates an endpoint for an Outpost.

This template creates an on-premises endpoint for an Outpost. It specifies the Outpost ID, Security Group ID, Subnet ID, Access Type, and Customer Owned IPv4 Pool for the endpoint.

A policy that denies any access to the S3 bucket that is not encrypted in-transit (uses HTTP instead of HTTPS).

A policy that denies an S3 bucket or any uploaded object with the attribute x-amz-acl having the values public-read, public-read-write, or authenticated-read. This means authenticated users cannot change the bucket's policy to public read or upload objects to the bucket if the objects have public permissions.

A policy that grants permissions to any user to perform any Amazon S3 operations on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition.

A policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages.

A policy that denies any Amazon S3 operation on the bucket if the request is not MFA authenticated.

A policy that denies any requests to read objects in an S3 bucket that don't come from a specific Cloudfront distribution. You must specify the canonical user ID for your CloudFront distribution's origin access identity.

A policy that grants the s3:GetObject permission to any public anonymous user.

An S3 Bucket policy grants access to AWS Config to store its history files and snapshots on the S3 bucket.

An S3 Bucket policy grants access to AWS CloudTrail to deliver log files to the S3 bucket.

An S3 Bucket policy grants access to AWS Config and AWS CloudTrail to deliver log files to the S3 bucket.

An S3 Bucket policy that denies all access to the bucket if the specified VPC is not being used to access the S3 bucket.

An S3 Bucket policy that denies all access to the bucket if the specified VPC endpoint is not being used to access the S3 bucket.

An S3 Bucket policy that allows all AWS accounts that belong to the specified AWS organization access to read all objects in the S3 bucket.

An S3 Bucket policy that grants permissions to specific IAM users to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.

An S3 Bucket policy that grants permissions to a specific IAM roles to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.

Auto remediation configuration to enable S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Auto remediation configuration to enable S3 Bucket Logging if an S3 bucket created with logging disabled. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

Checks whether logging is enabled for your S3 buckets.

Checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.

Checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.

Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.

Checks whether versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.

A Config rule that verifies that your Amazon S3 bucket policies do not allow other inter-account permissions that the control S3 bucket policy that you provide.

A config rule that checks that the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blacklisted actions are allowed by the Amazon S3 bucket policy.

A Config rule that checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.

A Config rule that checks whether S3 buckets have cross-region replication enabled.

A Config rule that checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.

A Config rule that checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is not NON_COMPLIANT if Amazon S3 bucket is not encrypted with AWS KMS key.

A Config rule that checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails that log data events for S3 buckets are not configured.

A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.

A Config rule that checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON_COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the eventTypes and destinationArn parameters.

A Config rule that checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. The rule is NON_COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values.

A Config rule that checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. The rule is NON_COMPLIANT if Amazon S3 lifecycle policy is not enabled.

Checks if the required public access block settings are configured at the account level. The rule is NON_COMPLAINT if the configuration item does not match one or more settings from parameters (or default).

Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs). The rule is NON_COMPLIANT if ACLs are configured for user access in Amazon S3 Buckets.

Checks if S3 buckets are publicly accessible. The rule is NON_COMPLIANT if an S3 bucket is not listed in the `excludedPublicBuckets` parameter and bucket level settings are public.

A CloudWatch Alarm that triggers when changes are made to an S3 Bucket.

A CloudWatch Alarm that triggers when an S3 Bucket is created or deleted.

Detect changes to S3 bucket policies and publishes change events to an SNS topic for notification.

This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.

This SCP prevents users or roles in any affected account from accessing any S3 objects outside the specified AWS Organization

This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account

This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.

This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.

This SCP restricts IAM principals in accounts from creating new S3 buckets without ACLs disabled (bucket owner enforced)

A policy that allows IAM users to access their own home directory in S3. The home directory is a bucket that includes a home folder and folders for individual users (Programmatically and in the Console).

A policy that limits managing an S3 bucket by allowing all S3 actions on the specific bucket, but explicitly denying access to every AWS service except Amazon S3. This policy also denies access to actions that can't be performed on an S3 bucket, such as s3:ListAllMyBuckets or s3:GetObject. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows Read and Write access to a specific S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows Read and Write access to a specific S3 bucket. This policy also provides the permissions necessary to complete this action on the console.

A policy that allows Read access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows write access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.