aws.s3

Filters

bucket-encryption

Filters for S3 buckets that have bucket-encryption

:example

policies:
  - name: s3-bucket-encryption-AES256
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: AES256
  - name: s3-bucket-encryption-KMS
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: aws:kms
        key: alias/some/alias/key
  - name: s3-bucket-encryption-off
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: False
properties:
  crypto:
    enum:
    - AES256
    - aws:kms
    type: string
  key:
    type: string
  state:
    type: boolean
  type:
    enum:
    - bucket-encryption
required:
- type

bucket-notification

Filter based on bucket notification configuration.

example

policies:
  - name: delete-incorrect-notification
    resource: s3
    filters:
      - type: bucket-notification
        kind: lambda
        key: Id
        value: "IncorrectLambda"
        op: eq
    actions:
      - type: delete-bucket-notification
        statement_ids: matched
properties:
  default:
    type: object
  key:
    type: string
  kind:
    enum:
    - lambda
    - sns
    - sqs
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - bucket-notification
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- kind
- type

cross-account

Filters cross-account access to S3 buckets

example

policies:
  - name: s3-acl
    resource: s3
    region: us-east-1
    filters:
      - type: cross-account
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

data-events

properties:
  state:
    enum:
    - present
    - absent
  type:
    enum:
    - data-events
required:
- type

global-grants

Filters for all S3 buckets that have global-grants

Note by default this filter allows for read access if the bucket has been configured as a website. This can be disabled per the example below.

example

policies:
  - name: remove-global-grants
    resource: s3
    filters:
     - type: global-grants
       allow_website: false
    actions:
     - delete-global-grants
properties:
  allow_website:
    type: boolean
  operator:
    enum:
    - or
    - and
    type: string
  permissions:
    items:
      enum:
      - READ
      - WRITE
      - WRITE_ACP
      - READ_ACP
      - FULL_CONTROL
      type: string
    type: array
  type:
    enum:
    - global-grants
required:
- type

has-statement

Find buckets with set of policy statements.

example

policies:
  - name: s3-bucket-has-statement
    resource: s3
    filters:
      - type: has-statement
        statement_ids:
          - RequiredEncryptedPutObject

policies:
  - name: s3-public-policy
    resource: s3
    filters:
      - type: has-statement
        statements:
          - Effect: Allow
            Action: 's3:*'
            Principal: '*'
properties:
  statement_ids:
    items:
      type: string
    type: array
  statements:
    items:
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Effect
      type: object
    type: array
  type:
    enum:
    - has-statement
required:
- type

inventory

Filter inventories for a bucket

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - inventory
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

is-log-target

Filter and return buckets are log destinations.

Not suitable for use in lambda on large accounts, This is a api heavy process to detect scan all possible log sources.

Sources:
  • elb (Access Log)

  • s3 (Access Log)

  • cfn (Template writes)

  • cloudtrail

example

policies:
  - name: s3-log-bucket
    resource: s3
    filters:
      - type: is-log-target
properties:
  self:
    type: boolean
  services:
    items:
      enum:
      - s3
      - elb
      - cloudtrail
    type: array
  type:
    enum:
    - is-log-target
  value:
    type: boolean
required:
- type

missing-policy-statement

Find buckets missing a set of named policy statements.

example

policies:
  - name: s3-bucket-missing-statement
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject
properties:
  statement_ids:
    items:
      type: string
    type: array
  type:
    enum:
    - missing-policy-statement
    - missing-statement
required:
- type

no-encryption-statement

Find buckets with missing encryption policy statements.

example

policies:
  - name: s3-bucket-not-encrypted
    resource: s3
    filters:
      - type: no-encryption-statement
properties:
  type:
    enum:
    - no-encryption-statement
required:
- type

Actions

attach-encrypt

Action attaches lambda encryption policy to S3 bucket

supports attachment via lambda bucket notification or sns notification to invoke lambda. a special topic value of default will utilize an extant notification or create one matching the bucket name.

example

policies:
  - name: attach-lambda-encrypt
    resource: s3
    filters:
      - type: missing-policy-statement
    actions:
      - type: attach-encrypt
        role: arn:aws:iam::123456789012:role/my-role
properties:
  role:
    type: string
  tags:
    type: object
  topic:
    type: string
  type:
    enum:
    - attach-encrypt
required:
- type

configure-lifecycle

Action applies a lifecycle policy to versioned S3 buckets

The schema to supply to the rule follows the schema here:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.put_bucket_lifecycle_configuration

To delete a lifecycle rule, supply Status=absent

example

policies:
  - name: s3-apply-lifecycle
    resource: s3
    actions:
      - type: configure-lifecycle
        rules:
          - ID: my-lifecycle-id
            Status: Enabled
            Prefix: foo/
            Transitions:
              - Days: 60
                StorageClass: GLACIER
properties:
  rules:
    items:
      additionalProperties: false
      properties:
        AbortIncompleteMultipartUpload:
          additionalProperties: false
          properties:
            DaysAfterInitiation:
              type: integer
          type: object
        Expiration:
          additionalProperties: false
          properties:
            Date:
              type: string
            Days:
              type: integer
            ExpiredObjectDeleteMarker:
              type: boolean
          type: object
        Filter:
          additionalProperties: false
          maxProperties: 1
          minProperties: 1
          properties:
            And:
              additionalProperties: false
              properties:
                Prefix:
                  type: string
                Tags:
                  items:
                    additionalProperties: false
                    properties:
                      Key:
                        type: string
                      Value:
                        type: string
                    required:
                    - Key
                    - Value
                    type: object
                  type: array
              type: object
            Prefix:
              type: string
            Tag:
              additionalProperties: false
              properties:
                Key:
                  type: string
                Value:
                  type: string
              required:
              - Key
              - Value
              type: object
          type: object
        ID:
          type: string
        NoncurrentVersionExpiration:
          additionalProperties: false
          properties:
            NoncurrentDays:
              type: integer
          type: object
        NoncurrentVersionTransitions:
          items:
            additionalProperties: false
            properties:
              NoncurrentDays:
                type: integer
              StorageClass:
                type: string
            type: object
          type: array
        Prefix:
          type: string
        Status:
          enum:
          - Enabled
          - Disabled
          - absent
        Transitions:
          items:
            additionalProperties: false
            properties:
              Date:
                type: string
              Days:
                type: integer
              StorageClass:
                type: string
            type: object
          type: array
      required:
      - ID
      - Status
      type: object
    type: array
  type:
    enum:
    - configure-lifecycle
required:
- type

delete

Action deletes a S3 bucket

example

policies:
  - name: delete-unencrypted-buckets
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject
    actions:
      - type: delete
        remove-contents: true
properties:
  remove-contents:
    type: boolean
  type:
    enum:
    - delete
required:
- type

delete-bucket-notification

Action to delete S3 bucket notification configurations

properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
    - items:
        type: string
      type: array
  type:
    enum:
    - delete-bucket-notification
required:
- statement_ids
- type

delete-global-grants

Deletes global grants associated to a S3 bucket

example

policies:
  - name: s3-delete-global-grants
    resource: s3
    filters:
      - type: global-grants
    actions:
      - delete-global-grants
properties:
  grantees:
    items:
      type: string
    type: array
  type:
    enum:
    - delete-global-grants
required:
- type

encrypt-keys

Action to encrypt unencrypted S3 objects

example

policies:
  - name: s3-encrypt-objects
    resource: s3
    actions:
      - type: encrypt-keys
        crypto: aws:kms
        key-id: 9c3983be-c6cf-11e6-9d9d-cec0c932ce01
dependencies:
  key-id:
    properties:
      crypto:
        pattern: aws:kms
    required:
    - crypto
properties:
  crypto:
    enum:
    - AES256
    - aws:kms
  glacier:
    type: boolean
  key-id:
    type: string
  large:
    type: boolean
  report-only:
    type: boolean
  type:
    enum:
    - encrypt-keys

encryption-policy

Action to apply an encryption policy to S3 buckets

example

policies:
  - name: s3-enforce-encryption
    resource: s3
    mode:
      type: cloudtrail
      events:
        - CreateBucket
    actions:
      - encryption-policy
properties:
  type:
    enum:
    - encryption-policy
required:
- type

no-op

properties:
  type:
    enum:
    - no-op
required:
- type

remove-statements

Action to remove policy statements from S3 buckets

example

policies:
  - name: s3-remove-encrypt-put
    resource: s3
    filters:
      - type: has-statement
        statement_ids:
          - RequireEncryptedPutObject
    actions:
      - type: remove-statements
        statement_ids:
          - RequiredEncryptedPutObject
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

remove-website-hosting

Action that removes website hosting configuration.

properties:
  type:
    enum:
    - remove-website-hosting
required:
- type

set-bucket-encryption

Action enables default encryption on S3 buckets

enabled: boolean Optional: Defaults to True crypto: aws:kms | AES256` Optional: Defaults to AES256 key: arn, alias, or kms id key

example

policies:
  - name: s3-enable-default-encryption-kms
    resource: s3
    actions:
      - type: set-bucket-encryption
      # enabled: true <------ optional (true by default)
        crypto: aws:kms
        key: 1234abcd-12ab-34cd-56ef-1234567890ab

  - name: s3-enable-default-encryption-kms-alias
    resource: s3
    actions:
      - type: set-bucket-encryption
      # enabled: true <------ optional (true by default)
        crypto: aws:kms
        key: alias/some/alias/key

  - name: s3-enable-default-encryption-aes256
    resource: s3
    actions:
      - type: set-bucket-encryption
      # crypto: AES256 <----- optional (AES256 by default)
      # enabled: true <------ optional (true by default)

  - name: s3-disable-default-encryption
    resource: s3
    actions:
      - type: set-bucket-encryption
        enabled: false
dependencies:
  key:
    properties:
      crypto:
        pattern: aws:kms
    required:
    - crypto
properties:
  crypto:
    enum:
    - aws:kms
    - AES256
  enabled:
    type: boolean
  key:
    type: string
  type:
    enum:
    - set-bucket-encryption

set-inventory

Configure bucket inventories for an s3 bucket.

properties:
  destination:
    description: Name of destination bucket
    type: string
  encryption:
    enum:
    - SSES3
    - SSEKMS
  fields:
    items:
      enum:
      - Size
      - LastModifiedDate
      - StorageClass
      - ETag
      - IsMultipartUploaded
      - ReplicationStatus
      - EncryptionStatus
    type: array
  key_id:
    description: Optional Customer KMS KeyId for SSE-KMS
    type: string
  name:
    description: Name of inventory
    type: string
  prefix:
    description: Destination prefix
    type: string
  schedule:
    enum:
    - Daily
    - Weekly
  state:
    enum:
    - enabled
    - disabled
    - absent
  type:
    enum:
    - set-inventory
  versions:
    enum:
    - All
    - Current
required:
- name
- destination
- type

set-statements

Action to add or update policy statements to S3 buckets

example

policies:
  - name: force-s3-https
    resource: s3
    actions:
      - type: set-statements
        statements:
          - Sid: "DenyHttp"
            Effect: "Deny"
            Action: "s3:GetObject"
            Principal:
              AWS: "*"
            Resource: "arn:aws:s3:::{bucket_name}/*"
            Condition:
              Bool:
                "aws:SecureTransport": false
properties:
  statements:
    items:
      oneOf:
      - required:
        - Principal
        - Action
        - Resource
      - required:
        - NotPrincipal
        - Action
        - Resource
      - required:
        - Principal
        - NotAction
        - Resource
      - required:
        - NotPrincipal
        - NotAction
        - Resource
      - required:
        - Principal
        - Action
        - NotResource
      - required:
        - NotPrincipal
        - Action
        - NotResource
      - required:
        - Principal
        - NotAction
        - NotResource
      - required:
        - NotPrincipal
        - NotAction
        - NotResource
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Sid
      - Effect
      type: object
    type: array
  type:
    enum:
    - set-statements
required:
- type

toggle-logging

Action to enable/disable logging on a S3 bucket.

Target bucket ACL must allow for WRITE and READ_ACP Permissions Not specifying a target_prefix will default to the current bucket name. https://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-programming.html

example

policies:
  - name: s3-enable-logging
    resource: s3
    filters:
      - "tag:Testing": present
    actions:
      - type: toggle-logging
        target_bucket: log-bucket
        target_prefix: logs123
properties:
  enabled:
    type: boolean
  target_bucket:
    type: string
  target_prefix:
    type: string
  type:
    enum:
    - toggle-logging
required:
- type

toggle-versioning

Action to enable/suspend versioning on a S3 bucket

Note versioning can never be disabled only suspended.

example

policies:
  - name: s3-enable-versioning
    resource: s3
    filters:
      - or:
        - type: value
          key: Versioning.Status
          value: Suspended
        - type: value
          key: Versioning.Status
          value: absent
    actions:
      - type: toggle-versioning
        enabled: true
properties:
  enabled:
    type: boolean
  type:
    enum:
    - toggle-versioning
required:
- type