Guided Walkthroughs

Configuration Packages

AI CloudAdvisor (Beta)

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

S3 Security Controls

A collection of AWS Security controls for Amazon S3. Controls include IAM policies, S3 bucket policies, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

S3

Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning.

CloudFormationTerraformAWS CLI

Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions).

CloudFormationTerraformAWS CLI

S3 Access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations. This template also includes the option to configure permissions and network controls that apply to any request made through the access point.

CloudFormationTerraformAWS CLI

Configure Access Analyzer to discover which resources in an AWS account are shared with external principals outside of the account. Access Analyzer analyzes generates findings for supported resources in the region it was enabled, with the exception of IAM resources which generates findings in each region (as IAM is a global service).

CloudFormationTerraformAWS CLI
Logging & Monitoring

A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups

CloudFormationTerraform

Configuration to enable AWS CloudTrail in an AWS account for logging S3 Data Events. Data Events for Amazon S3 record object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations)

CloudFormationTerraformAWS CLI
S3 Bucket Policy

A policy that denies any access to the S3 bucket that is not encrypted in-transit (uses HTTP instead of HTTPS).

CloudFormationTerraformAWS CLI

A policy that denies an S3 bucket or any uploaded object with the attribute x-amz-acl having the values public-read, public-read-write, or authenticated-read. This means authenticated users cannot change the bucket's policy to public read or upload objects to the bucket if the objects have public permissions.

CloudFormationTerraformAWS CLI

A policy that grants permissions to any user to perform any Amazon S3 operations on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition.

CloudFormationTerraformAWS CLI

A policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages.

CloudFormationTerraformAWS CLI

A policy that denies any Amazon S3 operation on the bucket if the request is not MFA authenticated.

CloudFormationTerraformAWS CLI

A policy that denies any requests to read objects in an S3 bucket that don't come from a specific Cloudfront distribution. You must specify the canonical user ID for your CloudFront distribution's origin access identity.

CloudFormationTerraformAWS CLI

A policy that grants the s3:GetObject permission to any public anonymous user.

CloudFormationTerraformAWS CLI

An S3 Bucket policy grants access to AWS Config to store its history files and snapshots on the S3 bucket.

CloudFormationTerraformAWS CLI

An S3 Bucket policy grants access to AWS CloudTrail to deliver log files to the S3 bucket.

CloudFormationTerraformAWS CLI

An S3 Bucket policy grants access to AWS Config and AWS CloudTrail to deliver log files to the S3 bucket.

CloudFormationTerraformAWS CLI

An S3 Bucket policy that denies all access to the bucket if the specified VPC is not being used to access the S3 bucket.

CloudFormationTerraformAWS CLI

An S3 Bucket policy that denies all access to the bucket if the specified VPC endpoint is not being used to access the S3 bucket.

CloudFormationTerraformAWS CLI

An S3 Bucket policy that allows all AWS accounts that belong to the specified AWS organization access to read all objects in the S3 bucket.

CloudFormationTerraformAWS CLI

An S3 Bucket policy that grants permissions to specific IAM users to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.

CloudFormationTerraformAWS CLI

An S3 Bucket policy that grants permissions to a specific IAM roles to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.

CloudFormationTerraformAWS CLI
Auto Remediation with SSM

Auto remediation configuration to enable S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI

Auto remediation configuration to configure S3 Bucket Versioning if versioning is not enabled at the time of bucket creation. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI

Auto remediation configuration to enable S3 Bucket Logging if an S3 bucket created with logging disabled. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI
Config Rule

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

CloudFormationTerraformAWS CLI

Checks whether logging is enabled for your S3 buckets.

CloudFormationTerraformAWS CLI

Checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.

CloudFormationTerraformAWS CLI

Checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant.

CloudFormationTerraformAWS CLI

Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.

CloudFormationTerraformAWS CLI

Checks whether versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.

CloudFormationTerraformAWS CLI

A Config rule that verifies that your Amazon S3 bucket policies do not allow other inter-account permissions that the control S3 bucket policy that you provide.

CloudFormationTerraformAWS CLI

A config rule that checks that the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blacklisted actions are allowed by the Amazon S3 bucket policy.

CloudFormationTerraformAWS CLI

A Config rule that checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.

CloudFormationTerraformAWS CLI

A Config rule that checks whether S3 buckets have cross-region replication enabled.

CloudFormationTerraformAWS CLI

A Config rule that checks whether Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the Amazon Simple Storage Service (Amazon S3) buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is not NON_COMPLIANT if Amazon S3 bucket is not encrypted with AWS KMS key.

CloudFormationTerraformAWS CLI

A Config rule that checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails that log data events for S3 buckets are not configured.

CloudFormationTerraformAWS CLI

A Config rule that checks whether the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON_COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the eventTypes and destinationArn parameters.

CloudFormationTerraformAWS CLI

A Config rule that checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. The rule is NON_COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. The rule is NON_COMPLIANT if Amazon S3 lifecycle policy is not enabled.

CloudFormationTerraformAWS CLI
CloudWatch Alarms

A CloudWatch Alarm that triggers when changes are made to an S3 Bucket.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when an S3 Bucket is created or deleted.

CloudFormationTerraformAWS CLI
CloudWatch Events

Detect changes to S3 bucket policies and publishes change events to an SNS topic for notification.

CloudFormationTerraformAWS CLI
Service Control Policy

This SCP prevents users or roles in any affected account from deleting any S3 bucket or objects.

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from accessing any S3 objects outside the specified AWS Organization

CloudFormationTerraformAWS CLI

This SCP requires that all Amazon S3 buckets use AES256 encryption in an AWS Account

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from disabling Amazon Macie, deleting member accounts or disassociating an account from a master Macie account.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in accounts from creating new S3 buckets without ACLs disabled (bucket owner enforced)

CloudFormationTerraformAWS CLI
IAM Policy

A policy that allows IAM users to access their own home directory in S3. The home directory is a bucket that includes a home folder and folders for individual users (Programmatically and in the Console).

CloudFormationTerraformAWS CLI

A policy that limits managing an S3 bucket by allowing all S3 actions on the specific bucket, but explicitly denying access to every AWS service except Amazon S3. This policy also denies access to actions that can't be performed on an S3 bucket, such as s3:ListAllMyBuckets or s3:GetObject. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI

A policy that allows Read and Write access to a specific S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI

A policy that allows Read and Write access to a specific S3 bucket. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI

A policy that allows Read access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI

A policy that allows write access to a specific folder within an S3 bucket. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI
Filter by source
 
S3
Logging & Monitoring
S3 Bucket Policy
Auto Remediation with SSM
Config Rule
CloudWatch Alarms
CloudWatch Events
Service Control Policy
IAM Policy