aws.s3¶
Filters¶
bucket-encryption¶
Filters for S3 buckets that have bucket-encryption
:example
policies:
- name: s3-bucket-encryption-AES256
resource: s3
region: us-east-1
filters:
- type: bucket-encryption
state: True
crypto: AES256
- name: s3-bucket-encryption-KMS
resource: s3
region: us-east-1
filters:
- type: bucket-encryption
state: True
crypto: aws:kms
key: alias/some/alias/key
- name: s3-bucket-encryption-off
resource: s3
region: us-east-1
filters:
- type: bucket-encryption
state: False
properties:
crypto:
enum:
- AES256
- aws:kms
type: string
key:
type: string
state:
type: boolean
type:
enum:
- bucket-encryption
required:
- type
Permissions - s3:GetEncryptionConfiguration, kms:DescribeKey, kms:ListAliases
bucket-logging¶
Filter based on bucket logging configuration.
- example
policies:
- name: add-bucket-logging-if-missing
resource: s3
filters:
- type: bucket-logging
op: disabled
actions:
- type: toggle-logging
target_bucket: "{account_id}-{region}-s3-logs"
target_prefix: "{source_bucket_name}/"
policies:
- name: update-incorrect-or-missing-logging
resource: s3
filters:
- type: bucket-logging
op: not-equal
target_bucket: "{account_id}-{region}-s3-logs"
target_prefix: "{account}/{source_bucket_name}/"
actions:
- type: toggle-logging
target_bucket: "{account_id}-{region}-s3-logs"
target_prefix: "{account}/{source_bucket_name}/"
properties:
op:
enum:
- enabled
- disabled
- equal
- not-equal
- eq
- ne
target_bucket:
type: string
target_prefix:
type: string
type:
enum:
- bucket-logging
required:
- op
- type
Permissions - s3:GetBucketLogging, iam:ListAccountAliases
bucket-notification¶
Filter based on bucket notification configuration.
- example
policies:
- name: delete-incorrect-notification
resource: s3
filters:
- type: bucket-notification
kind: lambda
key: Id
value: "IncorrectLambda"
op: eq
actions:
- type: delete-bucket-notification
statement_ids: matched
properties:
default:
type: object
key:
type: string
kind:
enum:
- lambda
- sns
- sqs
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- bucket-notification
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- kind
- type
Permissions - s3:GetBucketNotification
check-public-block¶
Filter for s3 bucket public blocks
If no filter paramaters are provided it checks to see if any are unset or False.
If parameters are provided only the provided ones are checked.
- example
policies:
- name: CheckForPublicAclBlock-Off
resource: s3
region: us-east-1
filters:
- type: check-public-block
BlockPublicAcls: true
BlockPublicPolicy: true
properties:
BlockPublicAcls:
type: boolean
BlockPublicPolicy:
type: boolean
IgnorePublicAcls:
type: boolean
RestrictPublicBuckets:
type: boolean
type:
enum:
- check-public-block
required:
- type
Permissions - s3:GetBucketPublicAccessBlock
cross-account¶
Filters cross-account access to S3 buckets
- example
policies:
- name: s3-acl
resource: s3
region: us-east-1
filters:
- type: cross-account
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
Permissions - s3:GetBucketPolicy
data-events¶
Parent base class for filters and actions.
properties:
state:
enum:
- present
- absent
type:
enum:
- data-events
required:
- type
Permissions - cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors
global-grants¶
Filters for all S3 buckets that have global-grants
Note by default this filter allows for read access if the bucket has been configured as a website. This can be disabled per the example below.
- example
policies:
- name: remove-global-grants
resource: s3
filters:
- type: global-grants
allow_website: false
actions:
- delete-global-grants
properties:
allow_website:
type: boolean
operator:
enum:
- or
- and
type: string
permissions:
items:
enum:
- READ
- WRITE
- WRITE_ACP
- READ_ACP
- FULL_CONTROL
type: string
type: array
type:
enum:
- global-grants
required:
- type
has-statement¶
Find resources with matching access policy statements. :example: .. code-block:: yaml
- policies:
name: sns-check-statement-id resource: sns filters:
type: has-statement statement_ids:
BlockNonSSL
- policies:
name: sns-check-block-non-ssl resource: sns filters:
type: has-statement statements:
Effect: Deny Action: ‘SNS:Publish’ Principal: ‘*’ Condition:
- Bool:
“aws:SecureTransport”: “false”
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
inventory¶
Filter inventories for a bucket
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- inventory
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - s3:GetInventoryConfiguration
is-log-target¶
Filter and return buckets are log destinations.
Not suitable for use in lambda on large accounts, This is a api heavy process to detect scan all possible log sources.
- Sources:
elb (Access Log)
s3 (Access Log)
cfn (Template writes)
cloudtrail
- example
policies:
- name: s3-log-bucket
resource: s3
filters:
- type: is-log-target
properties:
self:
type: boolean
services:
items:
enum:
- s3
- elb
- cloudtrail
type: array
type:
enum:
- is-log-target
value:
type: boolean
required:
- type
Permissions - elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeTags, elasticloadbalancing:DescribeLoadBalancerAttributes
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
missing-policy-statement¶
Find buckets missing a set of named policy statements.
- example
policies:
- name: s3-bucket-missing-statement
resource: s3
filters:
- type: missing-statement
statement_ids:
- RequiredEncryptedPutObject
properties:
statement_ids:
items:
type: string
type: array
type:
enum:
- missing-policy-statement
- missing-statement
required:
- type
no-encryption-statement¶
Find buckets with missing encryption policy statements.
- example
policies:
- name: s3-bucket-not-encrypted
resource: s3
filters:
- type: no-encryption-statement
properties:
type:
enum:
- no-encryption-statement
required:
- type
Permissions - s3:ListAllMyBuckets, s3:GetBucketLocation, s3:GetBucketTagging, s3:GetBucketPolicy, s3:GetBucketAcl, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketLogging, s3:GetBucketNotification, s3:GetLifecycleConfiguration
Actions¶
attach-encrypt¶
- Action attaches lambda encryption policy to S3 bucket
supports attachment via lambda bucket notification or sns notification to invoke lambda. a special topic value of default will utilize an extant notification or create one matching the bucket name.
- example
policies:
- name: attach-lambda-encrypt
resource: s3
filters:
- type: missing-policy-statement
actions:
- type: attach-encrypt
role: arn:aws:iam::123456789012:role/my-role
properties:
role:
type: string
tags:
type: object
topic:
type: string
type:
enum:
- attach-encrypt
required:
- type
Permissions - s3:PutBucketNotification, s3:GetBucketNotification, lambda:*
configure-lifecycle¶
Action applies a lifecycle policy to versioned S3 buckets
- The schema to supply to the rule follows the schema here:
To delete a lifecycle rule, supply Status=absent
- example
policies:
- name: s3-apply-lifecycle
resource: s3
actions:
- type: configure-lifecycle
rules:
- ID: my-lifecycle-id
Status: Enabled
Prefix: foo/
Transitions:
- Days: 60
StorageClass: GLACIER
properties:
rules:
items:
additionalProperties: false
properties:
AbortIncompleteMultipartUpload:
additionalProperties: false
properties:
DaysAfterInitiation:
type: integer
type: object
Expiration:
additionalProperties: false
properties:
Date:
type: string
Days:
type: integer
ExpiredObjectDeleteMarker:
type: boolean
type: object
Filter:
additionalProperties: false
maxProperties: 1
minProperties: 1
properties:
And:
additionalProperties: false
properties:
Prefix:
type: string
Tags:
items:
additionalProperties: false
properties:
Key:
type: string
Value:
type: string
required:
- Key
- Value
type: object
type: array
type: object
Prefix:
type: string
Tag:
additionalProperties: false
properties:
Key:
type: string
Value:
type: string
required:
- Key
- Value
type: object
type: object
ID:
type: string
NoncurrentVersionExpiration:
additionalProperties: false
properties:
NoncurrentDays:
type: integer
type: object
NoncurrentVersionTransitions:
items:
additionalProperties: false
properties:
NoncurrentDays:
type: integer
StorageClass:
type: string
type: object
type: array
Prefix:
type: string
Status:
enum:
- Enabled
- Disabled
- absent
Transitions:
items:
additionalProperties: false
properties:
Date:
type: string
Days:
type: integer
StorageClass:
type: string
type: object
type: array
required:
- ID
- Status
type: object
type: array
type:
enum:
- configure-lifecycle
required:
- type
Permissions - s3:GetLifecycleConfiguration, s3:PutLifecycleConfiguration
delete¶
Action deletes a S3 bucket
- example
policies:
- name: delete-unencrypted-buckets
resource: s3
filters:
- type: missing-statement
statement_ids:
- RequiredEncryptedPutObject
actions:
- type: delete
remove-contents: true
properties:
remove-contents:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - s3:*
delete-bucket-notification¶
Action to delete S3 bucket notification configurations
properties:
statement_ids:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- delete-bucket-notification
required:
- statement_ids
- type
Permissions - s3:PutBucketNotification
delete-global-grants¶
Deletes global grants associated to a S3 bucket
- example
policies:
- name: s3-delete-global-grants
resource: s3
filters:
- type: global-grants
actions:
- delete-global-grants
properties:
grantees:
items:
type: string
type: array
type:
enum:
- delete-global-grants
required:
- type
Permissions - s3:PutBucketAcl
encrypt-keys¶
Action to encrypt unencrypted S3 objects
- example
policies:
- name: s3-encrypt-objects
resource: s3
actions:
- type: encrypt-keys
crypto: aws:kms
key-id: 9c3983be-c6cf-11e6-9d9d-cec0c932ce01
dependencies:
key-id:
properties:
crypto:
pattern: aws:kms
required:
- crypto
properties:
crypto:
enum:
- AES256
- aws:kms
glacier:
type: boolean
key-id:
type: string
large:
type: boolean
report-only:
type: boolean
type:
enum:
- encrypt-keys
Permissions - s3:GetObject, s3:PutObject, s3:DeleteObjectVersion, s3:RestoreObject, s3:ListBucket
encryption-policy¶
Action to apply an encryption policy to S3 buckets
- example
policies:
- name: s3-enforce-encryption
resource: s3
mode:
type: cloudtrail
events:
- CreateBucket
actions:
- encryption-policy
properties:
type:
enum:
- encryption-policy
required:
- type
Permissions - s3:GetBucketPolicy, s3:PutBucketPolicy
no-op¶
Parent base class for filters and actions.
properties:
type:
enum:
- no-op
required:
- type
Permissions - s3:ListAllMyBuckets
remove-statements¶
Action to remove policy statements from S3 buckets
- example
policies:
- name: s3-remove-encrypt-put
resource: s3
filters:
- type: has-statement
statement_ids:
- RequireEncryptedPutObject
actions:
- type: remove-statements
statement_ids:
- RequiredEncryptedPutObject
properties:
statement_ids:
oneOf:
- enum:
- matched
- '*'
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - s3:PutBucketPolicy, s3:DeleteBucketPolicy
remove-website-hosting¶
Action that removes website hosting configuration.
properties:
type:
enum:
- remove-website-hosting
required:
- type
Permissions - s3:DeleteBucketWebsite
set-bucket-encryption¶
Action enables default encryption on S3 buckets
enabled: boolean Optional: Defaults to True
crypto: aws:kms | AES256` Optional: Defaults to AES256
key: arn, alias, or kms id key
bucket-key: boolean Optional: Defaults to True. Reduces amount of API traffic from Amazon S3 to KMS and can reduce KMS request costsby up to 99 percent. Requires kms:Decrypt permissions for copy and upload on the AWS KMS Key Policy.
Bucket Key Docs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html
- example
policies:
- name: s3-enable-default-encryption-kms
resource: s3
actions:
- type: set-bucket-encryption
# enabled: true <------ optional (true by default)
crypto: aws:kms
key: 1234abcd-12ab-34cd-56ef-1234567890ab
bucket-key: true
- name: s3-enable-default-encryption-kms-alias
resource: s3
actions:
- type: set-bucket-encryption
# enabled: true <------ optional (true by default)
crypto: aws:kms
key: alias/some/alias/key
bucket-key: true
- name: s3-enable-default-encryption-aes256
resource: s3
actions:
- type: set-bucket-encryption
# bucket-key: true <--- optional (true by default for AWS SSE)
# crypto: AES256 <----- optional (AES256 by default)
# enabled: true <------ optional (true by default)
- name: s3-disable-default-encryption
resource: s3
actions:
- type: set-bucket-encryption
enabled: false
dependencies:
key:
properties:
crypto:
pattern: aws:kms
required:
- crypto
properties:
bucket-key:
type: boolean
crypto:
enum:
- aws:kms
- AES256
enabled:
type: boolean
key:
type: string
type:
enum:
- set-bucket-encryption
Permissions - s3:PutEncryptionConfiguration, s3:GetEncryptionConfiguration, kms:ListAliases, kms:DescribeKey
set-inventory¶
Configure bucket inventories for an s3 bucket.
properties:
destination:
description: Name of destination bucket
type: string
encryption:
enum:
- SSES3
- SSEKMS
fields:
items:
enum:
- Size
- LastModifiedDate
- StorageClass
- ETag
- IsMultipartUploaded
- ReplicationStatus
- EncryptionStatus
- ObjectLockRetainUntilDate
- ObjectLockMode
- ObjectLockLegalHoldStatus
- IntelligentTieringAccessTier
- BucketKeyStatus
- ChecksumAlgorithm
type: array
format:
enum:
- CSV
- ORC
- Parquet
key_id:
description: Optional Customer KMS KeyId for SSE-KMS
type: string
name:
description: Name of inventory
type: string
prefix:
description: Destination prefix
type: string
schedule:
enum:
- Daily
- Weekly
state:
enum:
- enabled
- disabled
- absent
type:
enum:
- set-inventory
versions:
enum:
- All
- Current
required:
- name
- destination
- type
Permissions - s3:PutInventoryConfiguration, s3:GetInventoryConfiguration
set-public-block¶
Action to update Public Access blocks on S3 buckets
If no action parameters are provided all settings will be set to the state, which defaults
If action parameters are provided, those will be set and other extant values preserved.
- example
policies:
- name: s3-public-block-enable-all
resource: s3
filters:
- type: check-public-block
actions:
- type: set-public-block
policies:
- name: s3-public-block-disable-all
resource: s3
filters:
- type: check-public-block
actions:
- type: set-public-block
state: false
policies:
- name: s3-public-block-enable-some
resource: s3
filters:
- or:
- type: check-public-block
BlockPublicAcls: false
- type: check-public-block
BlockPublicPolicy: false
actions:
- type: set-public-block
BlockPublicAcls: true
BlockPublicPolicy: true
properties:
BlockPublicAcls:
type: boolean
BlockPublicPolicy:
type: boolean
IgnorePublicAcls:
type: boolean
RestrictPublicBuckets:
type: boolean
state:
default: true
type: boolean
type:
enum:
- set-public-block
required:
- type
Permissions - s3:GetBucketPublicAccessBlock, s3:PutBucketPublicAccessBlock
set-replication¶
Action to add or remove replication configuration statement from S3 buckets
- example
policies:
- name: s3-unapproved-account-replication
resource: s3
filters:
- type: value
key: Replication.ReplicationConfiguration.Rules[].Destination.Account
value: present
- type: value
key: Replication.ReplicationConfiguration.Rules[].Destination.Account
value_from:
url: 's3:///path/to/file.json'
format: json
expr: "approved_accounts.*"
op: ni
actions:
- type: set-replication
state: enable
properties:
state:
enum:
- enable
- disable
- remove
type: string
type:
enum:
- set-replication
required:
- type
Permissions - s3:GetReplicationConfiguration, s3:PutReplicationConfiguration
set-statements¶
Action to add or update policy statements to S3 buckets
- example
policies:
- name: force-s3-https
resource: s3
actions:
- type: set-statements
statements:
- Sid: "DenyHttp"
Effect: "Deny"
Action: "s3:GetObject"
Principal:
AWS: "*"
Resource: "arn:aws:s3:::{bucket_name}/*"
Condition:
Bool:
"aws:SecureTransport": false
properties:
statements:
items:
oneOf:
- required:
- Principal
- Action
- Resource
- required:
- NotPrincipal
- Action
- Resource
- required:
- Principal
- NotAction
- Resource
- required:
- NotPrincipal
- NotAction
- Resource
- required:
- Principal
- Action
- NotResource
- required:
- NotPrincipal
- Action
- NotResource
- required:
- Principal
- NotAction
- NotResource
- required:
- NotPrincipal
- NotAction
- NotResource
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Sid
- Effect
type: object
type: array
type:
enum:
- set-statements
required:
- type
Permissions - s3:PutBucketPolicy
toggle-logging¶
Action to enable/disable logging on a S3 bucket.
Target bucket ACL must allow for WRITE and READ_ACP Permissions Not specifying a target_prefix will default to the current bucket name. https://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-programming.html
- example
policies:
- name: s3-enable-logging
resource: s3
filters:
- "tag:Testing": present
actions:
- type: toggle-logging
target_bucket: log-bucket
target_prefix: logs123/
policies:
- name: s3-force-standard-logging
resource: s3
filters:
- type: bucket-logging
op: not-equal
target_bucket: "{account_id}-{region}-s3-logs"
target_prefix: "{account}/{source_bucket_name}/"
actions:
- type: toggle-logging
target_bucket: "{account_id}-{region}-s3-logs"
target_prefix: "{account}/{source_bucket_name}/"
properties:
enabled:
type: boolean
target_bucket:
type: string
target_prefix:
type: string
type:
enum:
- toggle-logging
required:
- type
Permissions - s3:PutBucketLogging, iam:ListAccountAliases
toggle-versioning¶
Action to enable/suspend versioning on a S3 bucket
Note versioning can never be disabled only suspended.
- example
policies:
- name: s3-enable-versioning
resource: s3
filters:
- or:
- type: value
key: Versioning.Status
value: Suspended
- type: value
key: Versioning.Status
value: absent
actions:
- type: toggle-versioning
enabled: true
properties:
enabled:
type: boolean
type:
enum:
- toggle-versioning
required:
- type
Permissions - s3:PutBucketVersioning