aws.s3¶
Filters¶
bucket-encryption¶
Filters for S3 buckets that have bucket-encryption
:example
policies:
- name: s3-bucket-encryption-AES256
resource: s3
region: us-east-1
filters:
- type: bucket-encryption
state: True
crypto: AES256
- name: s3-bucket-encryption-KMS
resource: s3
region: us-east-1
filters:
- type: bucket-encryption
state: True
crypto: aws:kms
key: alias/some/alias/key
- name: s3-bucket-encryption-off
resource: s3
region: us-east-1
filters:
- type: bucket-encryption
state: False
properties:
crypto:
enum:
- AES256
- aws:kms
type: string
key:
type: string
state:
type: boolean
type:
enum:
- bucket-encryption
required:
- type
bucket-notification¶
Filter based on bucket notification configuration.
- example
policies:
- name: delete-incorrect-notification
resource: s3
filters:
- type: bucket-notification
kind: lambda
key: Id
value: "IncorrectLambda"
op: eq
actions:
- type: delete-bucket-notification
statement_ids: matched
properties:
default:
type: object
key:
type: string
kind:
enum:
- lambda
- sns
- sqs
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- bucket-notification
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- kind
- type
cross-account¶
Filters cross-account access to S3 buckets
- example
policies:
- name: s3-acl
resource: s3
region: us-east-1
filters:
- type: cross-account
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
data-events¶
properties:
state:
enum:
- present
- absent
type:
enum:
- data-events
required:
- type
global-grants¶
Filters for all S3 buckets that have global-grants
Note by default this filter allows for read access if the bucket has been configured as a website. This can be disabled per the example below.
- example
policies:
- name: remove-global-grants
resource: s3
filters:
- type: global-grants
allow_website: false
actions:
- delete-global-grants
properties:
allow_website:
type: boolean
operator:
enum:
- or
- and
type: string
permissions:
items:
enum:
- READ
- WRITE
- WRITE_ACP
- READ_ACP
- FULL_CONTROL
type: string
type: array
type:
enum:
- global-grants
required:
- type
has-statement¶
Find buckets with set of policy statements.
- example
policies:
- name: s3-bucket-has-statement
resource: s3
filters:
- type: has-statement
statement_ids:
- RequiredEncryptedPutObject
policies:
- name: s3-public-policy
resource: s3
filters:
- type: has-statement
statements:
- Effect: Allow
Action: 's3:*'
Principal: '*'
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
inventory¶
Filter inventories for a bucket
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- inventory
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
is-log-target¶
Filter and return buckets are log destinations.
Not suitable for use in lambda on large accounts, This is a api heavy process to detect scan all possible log sources.
- Sources:
elb (Access Log)
s3 (Access Log)
cfn (Template writes)
cloudtrail
- example
policies:
- name: s3-log-bucket
resource: s3
filters:
- type: is-log-target
properties:
self:
type: boolean
services:
items:
enum:
- s3
- elb
- cloudtrail
type: array
type:
enum:
- is-log-target
value:
type: boolean
required:
- type
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
missing-policy-statement¶
Find buckets missing a set of named policy statements.
- example
policies:
- name: s3-bucket-missing-statement
resource: s3
filters:
- type: missing-statement
statement_ids:
- RequiredEncryptedPutObject
properties:
statement_ids:
items:
type: string
type: array
type:
enum:
- missing-policy-statement
- missing-statement
required:
- type
no-encryption-statement¶
Find buckets with missing encryption policy statements.
- example
policies:
- name: s3-bucket-not-encrypted
resource: s3
filters:
- type: no-encryption-statement
properties:
type:
enum:
- no-encryption-statement
required:
- type
Actions¶
attach-encrypt¶
- Action attaches lambda encryption policy to S3 bucket
supports attachment via lambda bucket notification or sns notification to invoke lambda. a special topic value of default will utilize an extant notification or create one matching the bucket name.
- example
policies:
- name: attach-lambda-encrypt
resource: s3
filters:
- type: missing-policy-statement
actions:
- type: attach-encrypt
role: arn:aws:iam::123456789012:role/my-role
properties:
role:
type: string
tags:
type: object
topic:
type: string
type:
enum:
- attach-encrypt
required:
- type
configure-lifecycle¶
Action applies a lifecycle policy to versioned S3 buckets
- The schema to supply to the rule follows the schema here:
To delete a lifecycle rule, supply Status=absent
- example
policies:
- name: s3-apply-lifecycle
resource: s3
actions:
- type: configure-lifecycle
rules:
- ID: my-lifecycle-id
Status: Enabled
Prefix: foo/
Transitions:
- Days: 60
StorageClass: GLACIER
properties:
rules:
items:
additionalProperties: false
properties:
AbortIncompleteMultipartUpload:
additionalProperties: false
properties:
DaysAfterInitiation:
type: integer
type: object
Expiration:
additionalProperties: false
properties:
Date:
type: string
Days:
type: integer
ExpiredObjectDeleteMarker:
type: boolean
type: object
Filter:
additionalProperties: false
maxProperties: 1
minProperties: 1
properties:
And:
additionalProperties: false
properties:
Prefix:
type: string
Tags:
items:
additionalProperties: false
properties:
Key:
type: string
Value:
type: string
required:
- Key
- Value
type: object
type: array
type: object
Prefix:
type: string
Tag:
additionalProperties: false
properties:
Key:
type: string
Value:
type: string
required:
- Key
- Value
type: object
type: object
ID:
type: string
NoncurrentVersionExpiration:
additionalProperties: false
properties:
NoncurrentDays:
type: integer
type: object
NoncurrentVersionTransitions:
items:
additionalProperties: false
properties:
NoncurrentDays:
type: integer
StorageClass:
type: string
type: object
type: array
Prefix:
type: string
Status:
enum:
- Enabled
- Disabled
- absent
Transitions:
items:
additionalProperties: false
properties:
Date:
type: string
Days:
type: integer
StorageClass:
type: string
type: object
type: array
required:
- ID
- Status
type: object
type: array
type:
enum:
- configure-lifecycle
required:
- type
delete¶
Action deletes a S3 bucket
- example
policies:
- name: delete-unencrypted-buckets
resource: s3
filters:
- type: missing-statement
statement_ids:
- RequiredEncryptedPutObject
actions:
- type: delete
remove-contents: true
properties:
remove-contents:
type: boolean
type:
enum:
- delete
required:
- type
delete-bucket-notification¶
Action to delete S3 bucket notification configurations
properties:
statement_ids:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- delete-bucket-notification
required:
- statement_ids
- type
delete-global-grants¶
Deletes global grants associated to a S3 bucket
- example
policies:
- name: s3-delete-global-grants
resource: s3
filters:
- type: global-grants
actions:
- delete-global-grants
properties:
grantees:
items:
type: string
type: array
type:
enum:
- delete-global-grants
required:
- type
encrypt-keys¶
Action to encrypt unencrypted S3 objects
- example
policies:
- name: s3-encrypt-objects
resource: s3
actions:
- type: encrypt-keys
crypto: aws:kms
key-id: 9c3983be-c6cf-11e6-9d9d-cec0c932ce01
dependencies:
key-id:
properties:
crypto:
pattern: aws:kms
required:
- crypto
properties:
crypto:
enum:
- AES256
- aws:kms
glacier:
type: boolean
key-id:
type: string
large:
type: boolean
report-only:
type: boolean
type:
enum:
- encrypt-keys
encryption-policy¶
Action to apply an encryption policy to S3 buckets
- example
policies:
- name: s3-enforce-encryption
resource: s3
mode:
type: cloudtrail
events:
- CreateBucket
actions:
- encryption-policy
properties:
type:
enum:
- encryption-policy
required:
- type
no-op¶
properties:
type:
enum:
- no-op
required:
- type
remove-statements¶
Action to remove policy statements from S3 buckets
- example
policies:
- name: s3-remove-encrypt-put
resource: s3
filters:
- type: has-statement
statement_ids:
- RequireEncryptedPutObject
actions:
- type: remove-statements
statement_ids:
- RequiredEncryptedPutObject
properties:
statement_ids:
oneOf:
- enum:
- matched
- '*'
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
remove-website-hosting¶
Action that removes website hosting configuration.
properties:
type:
enum:
- remove-website-hosting
required:
- type
set-bucket-encryption¶
Action enables default encryption on S3 buckets
enabled: boolean Optional: Defaults to True crypto: aws:kms | AES256` Optional: Defaults to AES256 key: arn, alias, or kms id key
- example
policies:
- name: s3-enable-default-encryption-kms
resource: s3
actions:
- type: set-bucket-encryption
# enabled: true <------ optional (true by default)
crypto: aws:kms
key: 1234abcd-12ab-34cd-56ef-1234567890ab
- name: s3-enable-default-encryption-kms-alias
resource: s3
actions:
- type: set-bucket-encryption
# enabled: true <------ optional (true by default)
crypto: aws:kms
key: alias/some/alias/key
- name: s3-enable-default-encryption-aes256
resource: s3
actions:
- type: set-bucket-encryption
# crypto: AES256 <----- optional (AES256 by default)
# enabled: true <------ optional (true by default)
- name: s3-disable-default-encryption
resource: s3
actions:
- type: set-bucket-encryption
enabled: false
dependencies:
key:
properties:
crypto:
pattern: aws:kms
required:
- crypto
properties:
crypto:
enum:
- aws:kms
- AES256
enabled:
type: boolean
key:
type: string
type:
enum:
- set-bucket-encryption
set-inventory¶
Configure bucket inventories for an s3 bucket.
properties:
destination:
description: Name of destination bucket
type: string
encryption:
enum:
- SSES3
- SSEKMS
fields:
items:
enum:
- Size
- LastModifiedDate
- StorageClass
- ETag
- IsMultipartUploaded
- ReplicationStatus
- EncryptionStatus
type: array
key_id:
description: Optional Customer KMS KeyId for SSE-KMS
type: string
name:
description: Name of inventory
type: string
prefix:
description: Destination prefix
type: string
schedule:
enum:
- Daily
- Weekly
state:
enum:
- enabled
- disabled
- absent
type:
enum:
- set-inventory
versions:
enum:
- All
- Current
required:
- name
- destination
- type
set-statements¶
Action to add or update policy statements to S3 buckets
- example
policies:
- name: force-s3-https
resource: s3
actions:
- type: set-statements
statements:
- Sid: "DenyHttp"
Effect: "Deny"
Action: "s3:GetObject"
Principal:
AWS: "*"
Resource: "arn:aws:s3:::{bucket_name}/*"
Condition:
Bool:
"aws:SecureTransport": false
properties:
statements:
items:
oneOf:
- required:
- Principal
- Action
- Resource
- required:
- NotPrincipal
- Action
- Resource
- required:
- Principal
- NotAction
- Resource
- required:
- NotPrincipal
- NotAction
- Resource
- required:
- Principal
- Action
- NotResource
- required:
- NotPrincipal
- Action
- NotResource
- required:
- Principal
- NotAction
- NotResource
- required:
- NotPrincipal
- NotAction
- NotResource
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Sid
- Effect
type: object
type: array
type:
enum:
- set-statements
required:
- type
toggle-logging¶
Action to enable/disable logging on a S3 bucket.
Target bucket ACL must allow for WRITE and READ_ACP Permissions Not specifying a target_prefix will default to the current bucket name. https://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-programming.html
- example
policies:
- name: s3-enable-logging
resource: s3
filters:
- "tag:Testing": present
actions:
- type: toggle-logging
target_bucket: log-bucket
target_prefix: logs123
properties:
enabled:
type: boolean
target_bucket:
type: string
target_prefix:
type: string
type:
enum:
- toggle-logging
required:
- type
toggle-versioning¶
Action to enable/suspend versioning on a S3 bucket
Note versioning can never be disabled only suspended.
- example
policies:
- name: s3-enable-versioning
resource: s3
filters:
- or:
- type: value
key: Versioning.Status
value: Suspended
- type: value
key: Versioning.Status
value: absent
actions:
- type: toggle-versioning
enabled: true
properties:
enabled:
type: boolean
type:
enum:
- toggle-versioning
required:
- type