A collection of AWS Security controls for Amazon S3. Controls include IAM policies, S3 bucket policies, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

S3
Amazon S3 Bucket

Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning.

CloudFormationTerraformAWS CLI
S3 Block Public Access (Account-Level)

Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions).

CloudFormationTerraformAWS CLI
S3 Access Point

S3 Access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations. This template also includes the option to configure permissions and network controls that apply to any request made through the access point.

CloudFormationTerraformAWS CLI
Access Analyzer

Configure Access Analyzer to discover which resources in an AWS account are shared with external principals outside of the account. Access Analyzer analyzes generates findings for supported resources in the region it was enabled, with the exception of IAM resources which generates findings in each region (as IAM is a global service).

CloudFormationTerraformAWS CLI
S3 StorageLens Example Configuration

This template creates an advanced S3 StorageLens configuration that enables advanced metrics, Amazon CloudWatch publishing, and prefix aggregation. It includes an exclusion for two S3 buckets `source_bucket_1` and `source_bucket_2`. Finally it configures a metrics export to S3 bucket `destination_bucket` and adds tags.

CloudFormationTerraform
Bucket that Allows GET Requests From Specific Referers

This template creates an Amazon S3 bucket that Allows GET Requests From Specific Referers. The bucket policy is attached to the specified bucket and allows GET requests that originate from www.example.com and example.net. The policy allows the `s3:GetObject` action on all objects in the bucket. The principal is set to `*` to allow any AWS identity to perform the action. The condition is set to check the `aws:Referer` header and only allow requests with referers matching the specified URLs.

CloudFormationTerraform
S3 Bucket with Analytics and Inventory Configurations

This template specifies analytics and inventory configurations for an S3 bucket. The analytics configuration generates CSV-formatted results and stores them in the `Helper` bucket. The inventory configuration generates CSV-formatted reports weekly.

CloudFormationTerraform
Bucket with Notifications to SNS

This template creates an S3 bucket with a notification configuration that sends an event to the specified SNS topic when S3 has lost all replicas of an object (event: s3:ReducedRedundancyLostObject).

CloudFormationTerraform
S3 Bucket with Access Logging Enabled

This template creates two S3 buckets. The `LoggingBucket` bucket stores the logs from the `S3Bucket` bucket. The `S3Bucket` bucket has a logging configuration that sends logs to the `LoggingBucket` bucket.

CloudFormationTerraform
S3 Bucket with Lifecycle Rules to Glacier

This template creates an S3 bucket with a lifecycle configuration rule that transitions objects with the `glacier` key prefix to Glacier after one day and deletes them after one year.

CloudFormationTerraform
Public S3 Bucket CORS Configuration

This template creates a public S3 bucket with two cross-origin resource sharing rules.

CloudFormationTerraform
S3 Static Website with Routing Rule

This template configures an S3 bucket as a static website with a routing rule that redirects requests to an EC2 instance when an HTTP 404 error occurs.

CloudFormationTerraform
S3 Bucket with ACLs enabled

This template creates an S3 bucket with S3 Object Ownership set to `BucketOwnerPreferred` and access policy `AwsExecRead`

CloudFormationTerraform
Read-Only Public S3 Bucket

This template creates a new bucket called `my-bucket` and then disables Block Public Access settings. A public bucket policy is then added to the bucket.

CloudFormationTerraform
S3 Bucket with Replication Configuration and IAM Role

This template creates an S3 bucket and grants it permission to write to a replication bucket (example-destination-bucket) by using an IAM role. The bucket depends on the `ReplicationIamRole` role.

CloudFormationTerraform
S3 Bucket with Block Public Access Enabled

This template creates an S3 bucket with both object versioning and block public access settings enabled

CloudFormationTerraform
S3 Access Point with Example Policy

This template creates an Amazon S3 access point and an S3 bucket. The access point allows user JaneDoe to make GetObject and PutObject operations only for bucket objects prefixed with /janedoe.

CloudFormationTerraform
S3 Access Point restricted to a VPC

This template creates an Amazon S3 access point restricted to a virtual private cloud (VPC). The access point is configured with a VPC ID and public access block configuration to restrict public access to the bucket.

CloudFormationTerraform
S3 (Simple Storage)
AWS Lambda Function Deployment with S3 Metadata

This template retrieves metadata for a zip file from an S3 bucket and uses it to configure and deploy an AWS Lambda function.

Terraform
Retrieve S3 Bucket Object Keys and Metadata

This template retrieves all object keys and their metadata from a specified S3 bucket and creates Terraform data sources for each object.

Terraform
Retrieve S3 Object Keys and Metadata

This template retrieves all object keys and their metadata from a specified S3 bucket and creates corresponding Terraform data sources for each object.

Terraform
S3 Bucket with Private ACL

Sets up an S3 bucket with private access control list (ACL), ensuring that the bucket content is not publicly accessible.

Terraform
S3 Bucket with Public-Read ACL

Configures an S3 bucket with public-read ACL, making the bucket objects accessible to the public. This setup disables default security settings.

Terraform
S3 Bucket with Custom Grants

Creates an S3 bucket with custom grants, specifying access permissions for different users and groups.

Terraform
Analytics Configuration for Entire S3 Bucket with Export

Configures analytics for an entire S3 bucket and exports the results to another S3 bucket.

Terraform
Analytics Configuration with S3 Object Filter

Sets up analytics configuration for an S3 bucket with filters applied to specific objects based on prefix and tags.

Terraform
S3 Bucket with CORS Configuration

This template configures CORS rules for an S3 bucket, allowing specific cross-origin requests.

Terraform
Intelligent Tiering Configuration for Entire S3 Bucket

Configures intelligent tiering for an entire S3 bucket to automatically move objects between different storage tiers based on their access patterns.

Terraform
Intelligent Tiering Configuration with S3 Object Filter

Sets up intelligent tiering with filters for specific objects in an S3 bucket, allowing for more granular control over storage tiering based on object tags and prefixes.

Terraform
Basic S3 Bucket Inventory Configuration

Creates a daily inventory configuration for an entire S3 bucket using ORC format.

Terraform
S3 Bucket Inventory Configuration with Object Prefix

Configures a daily inventory for specific objects within an S3 bucket, filtered by prefix, and stores the inventory in ORC format.

Terraform
S3 Bucket with Server Access Logging

This template sets up an S3 bucket for storing files and a separate S3 bucket for logging access requests to the primary bucket.

Terraform
Metrics Configuration with S3 Object Filter

Sets up an S3 bucket and configures metrics with filters based on object prefixes and tags.

Terraform
Metrics Configuration with S3 Object Filter for Access Point

Configures an S3 bucket with an access point and sets up metrics filtered by access point and tags.

Terraform
S3 to SNS Notification Configuration

Configures an S3 bucket to send notifications to an SNS topic when new objects are created with a .log suffix.

Terraform
S3 to SQS Notification Configuration

Configures an S3 bucket to send notifications to an SQS queue when new objects are created with a .log suffix.

Terraform
S3 to Lambda Notification Configuration

Configures an S3 bucket to trigger a Lambda function when new objects are created with a .log suffix in the AWSLogs directory.

Terraform
Multiple Lambda Functions Triggered by S3

Configures an S3 bucket to trigger multiple Lambda functions for different log types when new objects are created.

Terraform
Uploading a File to S3 Bucket

This template demonstrates how to upload a file to an S3 bucket using the aws_s3_bucket_object resource.

Terraform
Encrypting S3 Object with KMS Key

This template creates an S3 bucket and an object within it, encrypting the object with a specified AWS KMS key.

Terraform
Server Side Encryption with S3 Default Master Key

This template configures server-side encryption for an S3 object using the S3 default master key.

Terraform
S3 Object Lock Configuration

This template configures an S3 bucket and object with object locking enabled, setting legal hold and retention policies.

Terraform
S3 Bucket with Object Lock Configuration

This template sets up an S3 bucket with Object Lock configuration in compliance mode for 5 days.

Terraform
S3 Bucket Public Access Block Configuration

Configures an S3 bucket to block public access using various settings such as blocking public ACLs and policies.

Terraform
S3 Bucket Replication Configuration

Configures replication for AWS S3 buckets including IAM roles and policies for replication permissions.

Terraform
Bi-Directional S3 Bucket Replication

Sets up bi-directional replication between two AWS S3 buckets located in different regions.

Terraform
S3 Bucket with Server-Side Encryption using KMS Key

This template configures an S3 bucket with server-side encryption using an AWS KMS key.

Terraform
S3 Bucket with Versioning Enabled

This template enables versioning on an S3 bucket and sets the ACL to private.

Terraform
S3 Bucket with Versioning Disabled

This template disables versioning on an S3 bucket and sets the ACL to private.

Terraform
S3 Bucket and Object with Versioning Dependency

This template sets up an S3 bucket with versioning enabled and creates an S3 object that depends on the versioning configuration.

Terraform
S3 Bucket Website with Single Routing Rule

Configures an S3 bucket for website hosting with a single routing rule to redirect requests from a specific path.

Terraform
S3 Bucket Website with Multiple Routing Rules

Configures an S3 bucket for website hosting with multiple routing rules defined in JSON format.

Terraform
Uploading a File to an S3 Bucket

This template uploads a file to an AWS S3 bucket and sets the ETag using the file's MD5 hash.

Terraform
Ignoring Provider Default Tags for S3 Object

This template demonstrates how to ignore provider-level default tags when creating an S3 object to manage tagging explicitly.

Terraform
Copy S3 Object with Permissions

This template copies an S3 object from one bucket to another and assigns read permissions to all users.

Terraform
S3 Bucket Policy for Cross-Account Access

This template attaches a policy to an S3 bucket to allow access from another AWS account.

Terraform
S3 Bucket Policy
Require SSL (encryption in-transit) to access the S3 Bucket.

A policy that denies any access to the S3 bucket that is not encrypted in-transit (uses HTTP instead of HTTPS).

CloudFormationTerraformAWS CLI
Prevent S3 Buckets and Objects from Allowing Public Access

A policy that denies an S3 bucket or any uploaded object with the attribute x-amz-acl having the values public-read, public-read-write, or authenticated-read. This means authenticated users cannot change the bucket's policy to public read or upload objects to the bucket if the objects have public permissions.

CloudFormationTerraformAWS CLI
Restrict Access to Specific IP Addresses

A policy that grants permissions to any user to perform any Amazon S3 operations on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition.

CloudFormationTerraformAWS CLI
Restricting Access to a Specific HTTP Referrer

A policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages.

CloudFormationTerraformAWS CLI
Require MFA for Bucket Access

A policy that denies any Amazon S3 operation on the bucket if the request is not MFA authenticated.

CloudFormationTerraformAWS CLI
Restrict S3 bucket read access to a Cloudfront origin

A policy that denies any requests to read objects in an S3 bucket that don't come from a specific Cloudfront distribution. You must specify the canonical user ID for your CloudFront distribution's origin access identity.

CloudFormationTerraformAWS CLI
Grant Read-Only Permission to any Anonymous User

A policy that grants the s3:GetObject permission to any public anonymous user.

CloudFormationTerraformAWS CLI
Grant AWS Config Access to the Amazon S3 Bucket

An S3 Bucket policy grants access to AWS Config to store its history files and snapshots on the S3 bucket.

CloudFormationTerraformAWS CLI
Grant AWS CloudTrail Access to the Amazon S3 Bucket

An S3 Bucket policy grants access to AWS CloudTrail to deliver log files to the S3 bucket.

CloudFormationTerraformAWS CLI
Grant AWS CloudTrail and AWS Config access to the Amazon S3 Bucket

An S3 Bucket policy grants access to AWS Config and AWS CloudTrail to deliver log files to the S3 bucket.

CloudFormationTerraformAWS CLI
Restrict Access to a Specific VPC

An S3 Bucket policy that denies all access to the bucket if the specified VPC is not being used to access the S3 bucket.

CloudFormationTerraformAWS CLI
Restrict Access to S3 Bucket to a Specific VPC Endpoint

An S3 Bucket policy that denies all access to the bucket if the specified VPC endpoint is not being used to access the S3 bucket.

CloudFormationTerraformAWS CLI
Allow All AWS Accounts in an AWS Organization Read Access

An S3 Bucket policy that allows all AWS accounts that belong to the specified AWS organization access to read all objects in the S3 bucket.

CloudFormationTerraformAWS CLI
Restrict Access to Specific IAM Users

An S3 Bucket policy that grants permissions to specific IAM users to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.

CloudFormationTerraformAWS CLI
Restrict Access to a Specific IAM Role

An S3 Bucket policy that grants permissions to a specific IAM roles to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.

CloudFormationTerraformAWS CLI
Config Rule
S3 Bucket SSL Requests Only

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

CloudFormationTerraformAWS CLI
S3 Bucket Logging Enabled Check

Checks whether logging is enabled for your S3 buckets.

CloudFormationTerraformAWS CLI
S3 Bucket Public Read Disabled Check

Checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.

CloudFormationTerraformAWS CLI
S3 Bucket Public Write Disabled Check

Checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.

CloudFormationTerraformAWS CLI
S3 Bucket Server Side Encryption Enabled Check

Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.

CloudFormationTerraformAWS CLI
S3 Bucket Versioning Enabled Check

Checks whether versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.

CloudFormationTerraformAWS CLI
s3-bucket-policy-not-more-permissive

A Config rule that verifies that your Amazon S3 bucket policies do not allow other inter-account permissions that the control S3 bucket policy that you provide.

CloudFormationTerraformAWS CLI
s3-blacklisted-actions-prohibited

A config rule that checks that the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blacklisted actions are allowed by the Amazon S3 bucket policy.

CloudFormationTerraformAWS CLI
S3 Bucket Policy Grantee Check

A Config rule that checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.

CloudFormationTerraformAWS CLI
S3 Bucket Replication Enabled

A Config rule that checks whether S3 buckets have cross-region replication enabled.

CloudFormationTerraformAWS CLI
S3 Bucket Default Lock Enabled

A Config rule that checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.

CloudFormationTerraformAWS CLI
S3 Bucket Default Encryption with KMS Enabled

A Config rule that checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is not NON_COMPLIANT if Amazon S3 bucket is not encrypted with AWS KMS key.

CloudFormationTerraformAWS CLI
CloudTrail Data Events are Enabled for S3 Buckets Check

A Config rule that checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails that log data events for S3 buckets are not configured.

CloudFormationTerraformAWS CLI
S3 Block Public Access Enabled (Account-Level)

A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.

CloudFormationTerraformAWS CLI
S3 Event Notifications Enabled

A Config rule that checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON_COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the eventTypes and destinationArn parameters.

CloudFormationTerraformAWS CLI
S3 Lifecycle Policy Check

A Config rule that checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. The rule is NON_COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values.

CloudFormationTerraformAWS CLI
S3 Version Lifecycle Policy Check

A Config rule that checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. The rule is NON_COMPLIANT if Amazon S3 lifecycle policy is not enabled.

CloudFormationTerraformAWS CLI
Check public access block settings at account level

Checks if the required public access block settings are configured at the account level. The rule is NON_COMPLAINT if the configuration item does not match one or more settings from parameters (or default).

CloudFormationTerraform
Prohibit ACLs in S3 Buckets

Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs). The rule is NON_COMPLIANT if ACLs are configured for user access in Amazon S3 Buckets.

CloudFormationTerraform
Prohibit Public Access at S3 Bucket Level

Checks if S3 buckets are publicly accessible. The rule is NON_COMPLIANT if an S3 bucket is not listed in the `excludedPublicBuckets` parameter and bucket level settings are public.

CloudFormationTerraform
IAM Policy
Allows IAM Users Access to Their S3 Home Directory

A policy that allows IAM users to access their own home directory in S3. The home directory is a bucket that includes a home folder and folders for individual users (Programmatically and in the Console).

CloudFormationTerraformAWS CLI
Limits Managing to a Specific S3 Bucket and Denies All Other Actions

A policy that limits managing an S3 bucket by allowing all S3 actions on the specific bucket, but explicitly denying access to every AWS service except Amazon S3. This policy also denies access to actions that can't be performed on an S3 bucket, such as s3:ListAllMyBuckets or s3:GetObject. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI
Allows Read and Write Access to a Specific S3 Bucket

A policy that allows Read and Write access to a specific S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI
Allows Read and Write Access to a Specific S3 Bucket, Programmatically and in the Console.

A policy that allows Read and Write access to a specific S3 bucket. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI
Allow users to read objects in a portion of the S3 bucket.

A policy that allows Read access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI
Allow users to only drop files to a specific folder within an S3 bucket.

A policy that allows write access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI