Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning.
A collection of AWS Security controls for Amazon S3. Controls include IAM policies, S3 bucket policies, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform
Configure Access Analyzer to discover which resources in an AWS account are shared with external principals outside of the account. Access Analyzer analyzes generates findings for supported resources in the region it was enabled, with the exception of IAM resources which generates findings in each region (as IAM is a global service).
A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups
A policy that denies any access to the S3 bucket that is not encrypted in-transit (uses HTTP instead of HTTPS).
A policy that denies an S3 bucket or any uploaded object with the attribute x-amz-acl having the values public-read, public-read-write, or authenticated-read. This means authenticated users cannot change the bucket's policy to public read or upload objects to the bucket if the objects have public permissions.
A policy that denies any requests to read objects in an S3 bucket that don't come from a specific Cloudfront distribution. You must specify the canonical user ID for your CloudFront distribution's origin access identity.
An S3 Bucket policy grants access to AWS CloudTrail to deliver log files to the S3 bucket.
An S3 Bucket policy grants access to AWS Config and AWS CloudTrail to deliver log files to the S3 bucket.
An S3 Bucket policy that denies all access to the bucket if the specified VPC endpoint is not being used to access the S3 bucket.
An S3 Bucket policy that allows all AWS accounts that belong to the specified AWS organization access to read all objects in the S3 bucket.
A config rule that checks that the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blacklisted actions are allowed by the Amazon S3 bucket policy.
A Config rule that checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails that log data events for S3 buckets are not configured.
A Config rule that checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON_COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the eventTypes and destinationArn parameters.
This SCP prevents users or roles in any affected account from accessing any S3 objects outside the specified AWS Organization
This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account
This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.
This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.
A policy that allows IAM users to access their own home directory in S3. The home directory is a bucket that includes a home folder and folders for individual users (Programmatically and in the Console).
A policy that limits managing an S3 bucket by allowing all S3 actions on the specific bucket, but explicitly denying access to every AWS service except Amazon S3. This policy also denies access to actions that can't be performed on an S3 bucket, such as s3:ListAllMyBuckets or s3:GetObject. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
A policy that allows Read and Write access to a specific S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
A policy that allows Read and Write access to a specific S3 bucket. This policy also provides the permissions necessary to complete this action on the console.
A policy that allows Read access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.
A policy that allows write access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.