Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning.

Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions).

S3 Access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations. This template also includes the option to configure permissions and network controls that apply to any request made through the access point.

Configure Access Analyzer to discover which resources in an AWS account are shared with external principals outside of the account. Access Analyzer analyzes generates findings for supported resources in the region it was enabled, with the exception of IAM resources which generates findings in each region (as IAM is a global service).

A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups

Configuration to enable AWS CloudTrail in an AWS account for logging S3 Data Events. Data Events for Amazon S3 record object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations)

A policy that denies any access to the S3 bucket that is not encrypted in-transit (uses HTTP instead of HTTPS).

A policy that denies an S3 bucket or any uploaded object with the attribute x-amz-acl having the values public-read, public-read-write, or authenticated-read. This means authenticated users cannot change the bucket's policy to public read or upload objects to the bucket if the objects have public permissions.

A policy that grants permissions to any user to perform any Amazon S3 operations on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition.

A policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages.

A policy that denies any Amazon S3 operation on the bucket if the request is not MFA authenticated.

A policy that denies any requests to read objects in an S3 bucket that don't come from a specific Cloudfront distribution. You must specify the canonical user ID for your CloudFront distribution's origin access identity.

A policy that grants the s3:GetObject permission to any public anonymous user.

An S3 Bucket policy grants access to AWS Config to store its history files and snapshots on the S3 bucket.

An S3 Bucket policy grants access to AWS CloudTrail to deliver log files to the S3 bucket.

An S3 Bucket policy grants access to AWS Config and AWS CloudTrail to deliver log files to the S3 bucket.

An S3 Bucket policy that denies all access to the bucket if the specified VPC is not being used to access the S3 bucket.

An S3 Bucket policy that denies all access to the bucket if the specified VPC endpoint is not being used to access the S3 bucket.

An S3 Bucket policy that allows all AWS accounts that belong to the specified AWS organization access to read all objects in the S3 bucket.

An S3 Bucket policy that grants permissions to specific IAM users to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.

An S3 Bucket policy that grants permissions to a specific IAM roles to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.

Auto remediation configuration to enable S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Auto remediation configuration to enable S3 Bucket Logging if an S3 bucket created with logging disabled. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

Checks whether logging is enabled for your S3 buckets.

Checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.

Checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.

Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.

Checks whether versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.

A Config rule that verifies that your Amazon S3 bucket policies do not allow other inter-account permissions that the control S3 bucket policy that you provide.

A config rule that checks that the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blacklisted actions are allowed by the Amazon S3 bucket policy.

A Config rule that checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.

A Config rule that checks whether S3 buckets have cross-region replication enabled.

A Config rule that checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.

A Config rule that checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is not NON_COMPLIANT if Amazon S3 bucket is not encrypted with AWS KMS key.

A Config rule that checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails that log data events for S3 buckets are not configured.

A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.

A Config rule that checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON_COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the eventTypes and destinationArn parameters.

A Config rule that checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. The rule is NON_COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values.

A Config rule that checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. The rule is NON_COMPLIANT if Amazon S3 lifecycle policy is not enabled.

A CloudWatch Alarm that triggers when changes are made to an S3 Bucket.

A CloudWatch Alarm that triggers when an S3 Bucket is created or deleted.

Detect changes to S3 bucket policies and publishes change events to an SNS topic for notification.

This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.

This SCP prevents users or roles in any affected account from accessing any S3 objects outside the specified AWS Organization

This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account

This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.

This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.

This SCP restricts IAM principals in accounts from creating new S3 buckets without ACLs disabled (bucket owner enforced)

A policy that allows IAM users to access their own home directory in S3. The home directory is a bucket that includes a home folder and folders for individual users (Programmatically and in the Console).

A policy that limits managing an S3 bucket by allowing all S3 actions on the specific bucket, but explicitly denying access to every AWS service except Amazon S3. This policy also denies access to actions that can't be performed on an S3 bucket, such as s3:ListAllMyBuckets or s3:GetObject. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows Read and Write access to a specific S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows Read and Write access to a specific S3 bucket. This policy also provides the permissions necessary to complete this action on the console.

A policy that allows Read access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows write access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.