Simple Storage Service (S3)¶
Filters¶
Standard Value Filter (see Generic Filters)
global-grantsCheck bucket acls for global grants
Schema:
additionalProperties: false properties: allow_website: type: boolean operator: enum: - or - and type: string permissions: items: enum: - READ - WRITE - WRITE_ACP - READ_ACP - FULL_CONTROL type: string type: array type: enum: - global-grants required: - type type: object
missing-statementFind buckets missing a set of named policy statements
Schema:
additionalProperties: false properties: statement_ids: items: type: string type: array type: enum: - missing-policy-statement - missing-statement required: - type type: object
Actions¶
encrypt-keysScan all keys in a bucket and optionally encrypt them in place
Note for any large buckets highly recommended to use tools/c7n_salactus which supports distributed scale out key scanning across billions of keys.
Schema:
additionalProperties: false dependencies: key-id: properties: crypto: pattern: aws:kms required: - crypto properties: crypto: enum: - AES256 - aws:kms glacier: type: boolean key-id: type: string large: type: boolean report-only: type: boolean type: enum: - encrypt-keys type: object
encryption-policyAttach an encryption required policy to a bucket, this will break applications that are not using encryption, including AWS log delivery
Schema:
additionalProperties: false properties: type: enum: - encryption-policy required: - type type: object
delete-global-grantsDelete global grants from bucket ACLs
Schema:
additionalProperties: false properties: grantees: items: type: string type: array type: enum: - delete-global-grants required: - type type: object
no-opNo operation
Schema:
additionalProperties: false properties: type: enum: - no-op required: - type type: object