aws.s3

Filters

bucket-encryption

Filters for S3 buckets that have bucket-encryption

:example

policies:
  - name: s3-bucket-encryption-AES256
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: AES256
  - name: s3-bucket-encryption-KMS
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: aws:kms
        key: alias/some/alias/key
  - name: s3-bucket-encryption-off
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: False
  - name: s3-bucket-test-bucket-key-enabled
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        bucket_key_enabled: True
properties:
  bucket_key_enabled:
    type: boolean
  crypto:
    enum:
    - AES256
    - aws:kms
    type: string
  key:
    type: string
  state:
    type: boolean
  type:
    enum:
    - bucket-encryption
required:
- type

Permissions - s3:GetEncryptionConfiguration, kms:DescribeKey, kms:ListAliases

bucket-logging

Filter based on bucket logging configuration.

example:

policies:
  - name: add-bucket-logging-if-missing
    resource: s3
    filters:
      - type: bucket-logging
        op: disabled
    actions:
      - type: toggle-logging
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{source_bucket_name}/"

policies:
  - name: update-incorrect-or-missing-logging
    resource: s3
    filters:
      - type: bucket-logging
        op: not-equal
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{account}/{source_bucket_name}/"
    actions:
      - type: toggle-logging
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{account}/{source_bucket_name}/"
properties:
  op:
    enum:
    - enabled
    - disabled
    - equal
    - not-equal
    - eq
    - ne
  target_bucket:
    type: string
  target_prefix:
    type: string
  type:
    enum:
    - bucket-logging
required:
- op
- type

Permissions - s3:GetBucketLogging, iam:ListAccountAliases

bucket-notification

Filter based on bucket notification configuration.

example:

policies:
  - name: delete-incorrect-notification
    resource: s3
    filters:
      - type: bucket-notification
        kind: lambda
        key: Id
        value: "IncorrectLambda"
        op: eq
    actions:
      - type: delete-bucket-notification
        statement_ids: matched
properties:
  default:
    type: object
  key:
    type: string
  kind:
    enum:
    - lambda
    - sns
    - sqs
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - bucket-notification
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- kind
- type

Permissions - s3:GetBucketNotification

check-public-block

Filter for s3 bucket public blocks

If no filter paramaters are provided it checks to see if any are unset or False.

If parameters are provided only the provided ones are checked.

example:

policies:
  - name: CheckForPublicAclBlock-Off
    resource: s3
    region: us-east-1
    filters:
      - type: check-public-block
        BlockPublicAcls: true
        BlockPublicPolicy: true
properties:
  BlockPublicAcls:
    type: boolean
  BlockPublicPolicy:
    type: boolean
  IgnorePublicAcls:
    type: boolean
  RestrictPublicBuckets:
    type: boolean
  type:
    enum:
    - check-public-block
required:
- type

Permissions - s3:GetBucketPublicAccessBlock

cross-account

Filters cross-account access to S3 buckets

example:

policies:
  - name: s3-acl
    resource: s3
    region: us-east-1
    filters:
      - type: cross-account
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - s3:GetBucketPolicy

data-events

Find buckets for which CloudTrail is logging data events.

Note that this filter only examines trails that are defined in the current account.

properties:
  state:
    enum:
    - present
    - absent
  type:
    enum:
    - data-events
required:
- type

Permissions - cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors

global-grants

Filters for all S3 buckets that have global-grants

Note by default this filter allows for read access if the bucket has been configured as a website. This can be disabled per the example below.

example:

policies:
  - name: remove-global-grants
    resource: s3
    filters:
     - type: global-grants
       allow_website: false
    actions:
     - delete-global-grants
properties:
  allow_website:
    type: boolean
  operator:
    enum:
    - or
    - and
    type: string
  permissions:
    items:
      enum:
      - READ
      - WRITE
      - WRITE_ACP
      - READ_ACP
      - FULL_CONTROL
      type: string
    type: array
  type:
    enum:
    - global-grants
required:
- type

has-statement

Find resources with matching access policy statements. :Example:

policies:
  - name: sns-check-statement-id
    resource: sns
    filters:
      - type: has-statement
        statement_ids:
          - BlockNonSSL
policies:
  - name: sns-check-block-non-ssl
    resource: sns
    filters:
      - type: has-statement
        statements:
          - Effect: Deny
            Action: 'SNS:Publish'
            Principal: '*'
            Condition:
                Bool:
                    "aws:SecureTransport": "false"
properties:
  statement_ids:
    items:
      type: string
    type: array
  statements:
    items:
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Effect
      type: object
    type: array
  type:
    enum:
    - has-statement
required:
- type

inventory

Filter inventories for a bucket

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - inventory
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - s3:GetInventoryConfiguration

is-log-target

Filter and return buckets are log destinations.

Not suitable for use in lambda on large accounts, This is a api heavy process to detect scan all possible log sources.

Sources:
  • elb (Access Log)

  • s3 (Access Log)

  • cfn (Template writes)

  • cloudtrail

example:

policies:
  - name: s3-log-bucket
    resource: s3
    filters:
      - type: is-log-target
properties:
  self:
    type: boolean
  services:
    items:
      enum:
      - s3
      - elb
      - cloudtrail
    type: array
  type:
    enum:
    - is-log-target
  value:
    type: boolean
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeTags, elasticloadbalancing:DescribeLoadBalancerAttributes

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

missing-policy-statement

Find buckets missing a set of named policy statements.

example:

policies:
  - name: s3-bucket-missing-statement
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject
properties:
  statement_ids:
    items:
      type: string
    type: array
  type:
    enum:
    - missing-policy-statement
    - missing-statement
required:
- type

no-encryption-statement

Find buckets with missing encryption policy statements.

example:

policies:
  - name: s3-bucket-not-encrypted
    resource: s3
    filters:
      - type: no-encryption-statement
properties:
  type:
    enum:
    - no-encryption-statement
required:
- type

Permissions - s3:ListAllMyBuckets, s3:GetBucketLocation, s3:GetBucketTagging, s3:GetBucketPolicy, s3:GetBucketAcl, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketLogging, s3:GetBucketNotification, s3:GetLifecycleConfiguration

Actions

attach-encrypt

Action attaches lambda encryption policy to S3 bucket

supports attachment via lambda bucket notification or sns notification to invoke lambda. a special topic value of default will utilize an extant notification or create one matching the bucket name.

example:

policies:
  - name: attach-lambda-encrypt
    resource: s3
    filters:
      - type: missing-policy-statement
    actions:
      - type: attach-encrypt
        role: arn:aws:iam::123456789012:role/my-role
properties:
  role:
    type: string
  tags:
    type: object
  topic:
    type: string
  type:
    enum:
    - attach-encrypt
required:
- type

Permissions - s3:PutBucketNotification, s3:GetBucketNotification, lambda:*

configure-lifecycle

Action applies a lifecycle policy to versioned S3 buckets

The schema to supply to the rule follows the schema here:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.put_bucket_lifecycle_configuration

To delete a lifecycle rule, supply Status=absent

example:

policies:
  - name: s3-apply-lifecycle
    resource: s3
    actions:
      - type: configure-lifecycle
        rules:
          - ID: my-lifecycle-id
            Status: Enabled
            Prefix: foo/
            Transitions:
              - Days: 60
                StorageClass: GLACIER
properties:
  rules:
    items:
      additionalProperties: false
      properties:
        AbortIncompleteMultipartUpload:
          additionalProperties: false
          properties:
            DaysAfterInitiation:
              type: integer
          type: object
        Expiration:
          additionalProperties: false
          properties:
            Date:
              type: string
            Days:
              type: integer
            ExpiredObjectDeleteMarker:
              type: boolean
          type: object
        Filter:
          additionalProperties: false
          maxProperties: 1
          minProperties: 1
          properties:
            And:
              additionalProperties: false
              properties:
                ObjectSizeGreaterThan:
                  type: integer
                ObjectSizeLessThan:
                  type: integer
                Prefix:
                  type: string
                Tags:
                  items:
                    additionalProperties: false
                    properties:
                      Key:
                        type: string
                      Value:
                        type: string
                    required:
                    - Key
                    - Value
                    type: object
                  type: array
              type: object
            ObjectSizeGreaterThan:
              type: integer
            ObjectSizeLessThan:
              type: integer
            Prefix:
              type: string
            Tag:
              additionalProperties: false
              properties:
                Key:
                  type: string
                Value:
                  type: string
              required:
              - Key
              - Value
              type: object
          type: object
        ID:
          type: string
        NoncurrentVersionExpiration:
          additionalProperties: false
          properties:
            NewerNoncurrentVersions:
              type: integer
            NoncurrentDays:
              type: integer
          type: object
        NoncurrentVersionTransitions:
          items:
            additionalProperties: false
            properties:
              NewerNoncurrentVersions:
                type: integer
              NoncurrentDays:
                type: integer
              StorageClass:
                type: string
            type: object
          type: array
        Prefix:
          type: string
        Status:
          enum:
          - Enabled
          - Disabled
          - absent
        Transitions:
          items:
            additionalProperties: false
            properties:
              Date:
                type: string
              Days:
                type: integer
              StorageClass:
                type: string
            type: object
          type: array
      required:
      - ID
      - Status
      type: object
    type: array
  type:
    enum:
    - configure-lifecycle
required:
- type

Permissions - s3:GetLifecycleConfiguration, s3:PutLifecycleConfiguration

delete

Action deletes a S3 bucket

example:

policies:
  - name: delete-unencrypted-buckets
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject
    actions:
      - type: delete
        remove-contents: true
properties:
  remove-contents:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - s3:*

delete-bucket-notification

Action to delete S3 bucket notification configurations

properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
    - items:
        type: string
      type: array
  type:
    enum:
    - delete-bucket-notification
required:
- statement_ids
- type

Permissions - s3:PutBucketNotification

delete-global-grants

Deletes global grants associated to a S3 bucket

example:

policies:
  - name: s3-delete-global-grants
    resource: s3
    filters:
      - type: global-grants
    actions:
      - delete-global-grants
properties:
  grantees:
    items:
      type: string
    type: array
  type:
    enum:
    - delete-global-grants
required:
- type

Permissions - s3:PutBucketAcl

encrypt-keys

Action to encrypt unencrypted S3 objects

example:

policies:
  - name: s3-encrypt-objects
    resource: s3
    actions:
      - type: encrypt-keys
        crypto: aws:kms
        key-id: 9c3983be-c6cf-11e6-9d9d-cec0c932ce01
dependencies:
  key-id:
    properties:
      crypto:
        pattern: aws:kms
    required:
    - crypto
properties:
  crypto:
    enum:
    - AES256
    - aws:kms
  glacier:
    type: boolean
  key-id:
    type: string
  large:
    type: boolean
  report-only:
    type: boolean
  type:
    enum:
    - encrypt-keys

Permissions - s3:GetObject, s3:PutObject, s3:DeleteObjectVersion, s3:RestoreObject, s3:ListBucket

encryption-policy

Action to apply an encryption policy to S3 buckets

example:

policies:
  - name: s3-enforce-encryption
    resource: s3
    mode:
      type: cloudtrail
      events:
        - CreateBucket
    actions:
      - encryption-policy
properties:
  type:
    enum:
    - encryption-policy
required:
- type

Permissions - s3:GetBucketPolicy, s3:PutBucketPolicy

no-op

Parent base class for filters and actions.

properties:
  type:
    enum:
    - no-op
required:
- type

Permissions - s3:ListAllMyBuckets

remove-statements

Action to remove policy statements from S3 buckets

example:

policies:
  - name: s3-remove-encrypt-put
    resource: s3
    filters:
      - type: has-statement
        statement_ids:
          - RequireEncryptedPutObject
    actions:
      - type: remove-statements
        statement_ids:
          - RequiredEncryptedPutObject
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

Permissions - s3:PutBucketPolicy, s3:DeleteBucketPolicy

remove-website-hosting

Action that removes website hosting configuration.

properties:
  type:
    enum:
    - remove-website-hosting
required:
- type

Permissions - s3:DeleteBucketWebsite

set-bucket-encryption

Action enables default encryption on S3 buckets

enabled: boolean Optional: Defaults to True

crypto: aws:kms | AES256` Optional: Defaults to AES256

key: arn, alias, or kms id key

bucket-key: boolean Optional: Defaults to True. Reduces amount of API traffic from Amazon S3 to KMS and can reduce KMS request costsby up to 99 percent. Requires kms:Decrypt permissions for copy and upload on the AWS KMS Key Policy.

Bucket Key Docs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html

example:

policies:
  - name: s3-enable-default-encryption-kms
    resource: s3
    actions:
      - type: set-bucket-encryption
      # enabled: true <------ optional (true by default)
        crypto: aws:kms
        key: 1234abcd-12ab-34cd-56ef-1234567890ab
        bucket-key: true

  - name: s3-enable-default-encryption-kms-alias
    resource: s3
    actions:
      - type: set-bucket-encryption
      # enabled: true <------ optional (true by default)
        crypto: aws:kms
        key: alias/some/alias/key
        bucket-key: true

  - name: s3-enable-default-encryption-aes256
    resource: s3
    actions:
      - type: set-bucket-encryption
      # bucket-key: true <--- optional (true by default for AWS SSE)
      # crypto: AES256 <----- optional (AES256 by default)
      # enabled: true <------ optional (true by default)

  - name: s3-disable-default-encryption
    resource: s3
    actions:
      - type: set-bucket-encryption
        enabled: false
dependencies:
  key:
    properties:
      crypto:
        pattern: aws:kms
    required:
    - crypto
properties:
  bucket-key:
    type: boolean
  crypto:
    enum:
    - aws:kms
    - AES256
  enabled:
    type: boolean
  key:
    type: string
  type:
    enum:
    - set-bucket-encryption

Permissions - s3:PutEncryptionConfiguration, s3:GetEncryptionConfiguration, kms:ListAliases, kms:DescribeKey

set-intelligent-tiering

Action applies an intelligent tiering configuration to a S3 bucket

The schema to supply to the configuration follows the schema here:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/put_bucket_intelligent_tiering_configuration.html

To delete a configuration, supply Status=delete with the either the Id or Id: matched

example:

policies:
  - name: s3-apply-intelligent-tiering-config
    resource: aws.s3
    filters:
      - not:
        - type: intelligent-tiering
          attrs:
            - Status: Enabled
            - Filter:
                And:
                  Prefix: helloworld
                  Tags:
                    - Key: Hello
                      Value: World
            - Tierings:
              - Days: 123
                AccessTier: ARCHIVE_ACCESS
    actions:
      - type: set-intelligent-tiering
        Id: c7n-default
        IntelligentTieringConfiguration:
          Id: c7n-default
          Status: Enabled
          Tierings:
            - Days: 149
              AccessTier: ARCHIVE_ACCESS

  - name: s3-delete-intelligent-tiering-configuration
    resource: aws.s3
    filters:
      - type: intelligent-tiering
        attrs:
          - Status: Enabled
          - Id: test-config
    actions:
      - type: set-intelligent-tiering
        Id: test-config
        State: delete

  - name: s3-delete-intelligent-tiering-matched-configs
    resource: aws.s3
    filters:
      - type: intelligent-tiering
        attrs:
          - Status: Enabled
          - Id: test-config
    actions:
      - type: set-intelligent-tiering
        Id: matched
        State: delete
oneOf:
- required:
  - type
  - Id
  - IntelligentTieringConfiguration
- required:
  - type
  - Id
  - State
properties:
  Id:
    type: string
  IntelligentTieringConfiguration:
    type: object
  State:
    enum:
    - delete
    type: string
  type:
    enum:
    - set-intelligent-tiering

Permissions - s3:PutIntelligentTieringConfiguration

set-inventory

Configure bucket inventories for an s3 bucket.

properties:
  destination:
    description: Name of destination bucket
    type: string
  encryption:
    enum:
    - SSES3
    - SSEKMS
  fields:
    items:
      enum:
      - Size
      - LastModifiedDate
      - StorageClass
      - ETag
      - IsMultipartUploaded
      - ReplicationStatus
      - EncryptionStatus
      - ObjectLockRetainUntilDate
      - ObjectLockMode
      - ObjectLockLegalHoldStatus
      - IntelligentTieringAccessTier
      - BucketKeyStatus
      - ChecksumAlgorithm
    type: array
  format:
    enum:
    - CSV
    - ORC
    - Parquet
  key_id:
    description: Optional Customer KMS KeyId for SSE-KMS
    type: string
  name:
    description: Name of inventory
    type: string
  prefix:
    description: Destination prefix
    type: string
  schedule:
    enum:
    - Daily
    - Weekly
  state:
    enum:
    - enabled
    - disabled
    - absent
  type:
    enum:
    - set-inventory
  versions:
    enum:
    - All
    - Current
required:
- name
- destination
- type

Permissions - s3:PutInventoryConfiguration, s3:GetInventoryConfiguration

set-public-block

Action to update Public Access blocks on S3 buckets

If no action parameters are provided all settings will be set to the state, which defaults

If action parameters are provided, those will be set and other extant values preserved.

example:

policies:
  - name: s3-public-block-enable-all
    resource: s3
    filters:
      - type: check-public-block
    actions:
      - type: set-public-block

policies:
  - name: s3-public-block-disable-all
    resource: s3
    filters:
      - type: check-public-block
    actions:
      - type: set-public-block
        state: false

policies:
  - name: s3-public-block-enable-some
    resource: s3
    filters:
      - or:
        - type: check-public-block
          BlockPublicAcls: false
        - type: check-public-block
          BlockPublicPolicy: false
    actions:
      - type: set-public-block
        BlockPublicAcls: true
        BlockPublicPolicy: true
properties:
  BlockPublicAcls:
    type: boolean
  BlockPublicPolicy:
    type: boolean
  IgnorePublicAcls:
    type: boolean
  RestrictPublicBuckets:
    type: boolean
  state:
    default: true
    type: boolean
  type:
    enum:
    - set-public-block
required:
- type

Permissions - s3:GetBucketPublicAccessBlock, s3:PutBucketPublicAccessBlock

set-replication

Action to add or remove replication configuration statement from S3 buckets

example:

policies:
  - name: s3-unapproved-account-replication
    resource: s3
    filters:
      - type: value
        key: Replication.ReplicationConfiguration.Rules[].Destination.Account
        value: present
      - type: value
        key: Replication.ReplicationConfiguration.Rules[].Destination.Account
        value_from:
          url: 's3:///path/to/file.json'
          format: json
          expr: "approved_accounts.*"
        op: ni
    actions:
      - type: set-replication
        state: enable
properties:
  state:
    enum:
    - enable
    - disable
    - remove
    type: string
  type:
    enum:
    - set-replication
required:
- type

Permissions - s3:GetReplicationConfiguration, s3:PutReplicationConfiguration

set-statements

Action to add or update policy statements to S3 buckets

example:

policies:
  - name: force-s3-https
    resource: s3
    actions:
      - type: set-statements
        statements:
          - Sid: "DenyHttp"
            Effect: "Deny"
            Action: "s3:GetObject"
            Principal:
              AWS: "*"
            Resource: "arn:aws:s3:::{bucket_name}/*"
            Condition:
              Bool:
                "aws:SecureTransport": false
properties:
  statements:
    items:
      oneOf:
      - required:
        - Principal
        - Action
        - Resource
      - required:
        - NotPrincipal
        - Action
        - Resource
      - required:
        - Principal
        - NotAction
        - Resource
      - required:
        - NotPrincipal
        - NotAction
        - Resource
      - required:
        - Principal
        - Action
        - NotResource
      - required:
        - NotPrincipal
        - Action
        - NotResource
      - required:
        - Principal
        - NotAction
        - NotResource
      - required:
        - NotPrincipal
        - NotAction
        - NotResource
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Sid
      - Effect
      type: object
    type: array
  type:
    enum:
    - set-statements
required:
- type

Permissions - s3:PutBucketPolicy

toggle-logging

Action to enable/disable logging on a S3 bucket.

Target bucket ACL must allow for WRITE and READ_ACP Permissions Not specifying a target_prefix will default to the current bucket name. https://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-programming.html

example:

policies:
  - name: s3-enable-logging
    resource: s3
    filters:
      - "tag:Testing": present
    actions:
      - type: toggle-logging
        target_bucket: log-bucket
        target_prefix: logs123/

policies:
  - name: s3-force-standard-logging
    resource: s3
    filters:
      - type: bucket-logging
        op: not-equal
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{account}/{source_bucket_name}/"
    actions:
      - type: toggle-logging
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{account}/{source_bucket_name}/"
properties:
  enabled:
    type: boolean
  target_bucket:
    type: string
  target_prefix:
    type: string
  type:
    enum:
    - toggle-logging
required:
- type

Permissions - s3:PutBucketLogging, iam:ListAccountAliases

toggle-versioning

Action to enable/suspend versioning on a S3 bucket

Note versioning can never be disabled only suspended.

example:

policies:
  - name: s3-enable-versioning
    resource: s3
    filters:
      - or:
        - type: value
          key: Versioning.Status
          value: Suspended
        - type: value
          key: Versioning.Status
          value: absent
    actions:
      - type: toggle-versioning
        enabled: true
properties:
  enabled:
    type: boolean
  type:
    enum:
    - toggle-versioning
required:
- type

Permissions - s3:PutBucketVersioning