aws.s3

Filters

bucket-encryption

Filters for S3 buckets that have bucket-encryption

:example

policies:
  - name: s3-bucket-encryption-AES256
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: AES256
  - name: s3-bucket-encryption-KMS
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: aws:kms
        key: alias/some/alias/key
  - name: s3-bucket-encryption-off
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: False
properties:
  crypto:
    enum:
    - AES256
    - aws:kms
    type: string
  key:
    type: string
  state:
    type: boolean
  type:
    enum:
    - bucket-encryption
required:
- type

Permissions - s3:GetEncryptionConfiguration, kms:DescribeKey

bucket-logging

Filter based on bucket logging configuration.

example

policies:
  - name: add-bucket-logging-if-missing
    resource: s3
    filters:
      - type: bucket-logging
        op: disabled
    actions:
      - type: toggle-logging
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{source_bucket_name}/"

policies:
  - name: update-incorrect-or-missing-logging
    resource: s3
    filters:
      - type: bucket-logging
        op: not-equal
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{account}/{source_bucket_name}/"
    actions:
      - type: toggle-logging
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{account}/{source_bucket_name}/"
properties:
  op:
    enum:
    - enabled
    - disabled
    - equal
    - not-equal
    - eq
    - ne
  target_bucket:
    type: string
  target_prefix:
    type: string
  type:
    enum:
    - bucket-logging
required:
- op
- type

Permissions - s3:GetBucketLogging, iam:ListAccountAliases

bucket-notification

Filter based on bucket notification configuration.

example

policies:
  - name: delete-incorrect-notification
    resource: s3
    filters:
      - type: bucket-notification
        kind: lambda
        key: Id
        value: "IncorrectLambda"
        op: eq
    actions:
      - type: delete-bucket-notification
        statement_ids: matched
properties:
  default:
    type: object
  key:
    type: string
  kind:
    enum:
    - lambda
    - sns
    - sqs
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - bucket-notification
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- kind
- type

Permissions - s3:GetBucketNotification

check-public-block

Filter for s3 bucket public blocks

If no filter paramaters are provided it checks to see if any are unset or False.

If parameters are provided only the provided ones are checked.

example

policies:
  - name: CheckForPublicAclBlock-Off
    resource: s3
    region: us-east-1
    filters:
      - type: check-public-block
        BlockPublicAcls: true
        BlockPublicPolicy: true
properties:
  BlockPublicAcls:
    type: boolean
  BlockPublicPolicy:
    type: boolean
  IgnorePublicAcls:
    type: boolean
  RestrictPublicBuckets:
    type: boolean
  type:
    enum:
    - check-public-block
required:
- type

Permissions - s3:GetBucketPublicAccessBlock

cross-account

Filters cross-account access to S3 buckets

example

policies:
  - name: s3-acl
    resource: s3
    region: us-east-1
    filters:
      - type: cross-account
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - s3:GetBucketPolicy

data-events

Parent base class for filters and actions.

properties:
  state:
    enum:
    - present
    - absent
  type:
    enum:
    - data-events
required:
- type

Permissions - cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors

global-grants

Filters for all S3 buckets that have global-grants

Note by default this filter allows for read access if the bucket has been configured as a website. This can be disabled per the example below.

example

policies:
  - name: remove-global-grants
    resource: s3
    filters:
     - type: global-grants
       allow_website: false
    actions:
     - delete-global-grants
properties:
  allow_website:
    type: boolean
  operator:
    enum:
    - or
    - and
    type: string
  permissions:
    items:
      enum:
      - READ
      - WRITE
      - WRITE_ACP
      - READ_ACP
      - FULL_CONTROL
      type: string
    type: array
  type:
    enum:
    - global-grants
required:
- type

has-statement

Find buckets with set of policy statements.

example

policies:
  - name: s3-bucket-has-statement
    resource: s3
    filters:
      - type: has-statement
        statement_ids:
          - RequiredEncryptedPutObject

policies:
  - name: s3-public-policy
    resource: s3
    filters:
      - type: has-statement
        statements:
          - Effect: Allow
            Action: 's3:*'
            Principal: '*'
properties:
  statement_ids:
    items:
      type: string
    type: array
  statements:
    items:
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Effect
      type: object
    type: array
  type:
    enum:
    - has-statement
required:
- type

inventory

Filter inventories for a bucket

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - inventory
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - s3:GetInventoryConfiguration

is-log-target

Filter and return buckets are log destinations.

Not suitable for use in lambda on large accounts, This is a api heavy process to detect scan all possible log sources.

Sources:
  • elb (Access Log)

  • s3 (Access Log)

  • cfn (Template writes)

  • cloudtrail

example

policies:
  - name: s3-log-bucket
    resource: s3
    filters:
      - type: is-log-target
properties:
  self:
    type: boolean
  services:
    items:
      enum:
      - s3
      - elb
      - cloudtrail
    type: array
  type:
    enum:
    - is-log-target
  value:
    type: boolean
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeTags, elasticloadbalancing:DescribeLoadBalancerAttributes

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

missing-policy-statement

Find buckets missing a set of named policy statements.

example

policies:
  - name: s3-bucket-missing-statement
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject
properties:
  statement_ids:
    items:
      type: string
    type: array
  type:
    enum:
    - missing-policy-statement
    - missing-statement
required:
- type

no-encryption-statement

Find buckets with missing encryption policy statements.

example

policies:
  - name: s3-bucket-not-encrypted
    resource: s3
    filters:
      - type: no-encryption-statement
properties:
  type:
    enum:
    - no-encryption-statement
required:
- type

Permissions - s3:ListAllMyBuckets, s3:GetBucketLocation, s3:GetBucketTagging, s3:GetBucketPolicy, s3:GetBucketAcl, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketLogging, s3:GetBucketNotification, s3:GetLifecycleConfiguration

Actions

attach-encrypt

Action attaches lambda encryption policy to S3 bucket

supports attachment via lambda bucket notification or sns notification to invoke lambda. a special topic value of default will utilize an extant notification or create one matching the bucket name.

example

policies:
  - name: attach-lambda-encrypt
    resource: s3
    filters:
      - type: missing-policy-statement
    actions:
      - type: attach-encrypt
        role: arn:aws:iam::123456789012:role/my-role
properties:
  role:
    type: string
  tags:
    type: object
  topic:
    type: string
  type:
    enum:
    - attach-encrypt
required:
- type

Permissions - s3:PutBucketNotification, s3:GetBucketNotification, lambda:*

configure-lifecycle

Action applies a lifecycle policy to versioned S3 buckets

The schema to supply to the rule follows the schema here:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.put_bucket_lifecycle_configuration

To delete a lifecycle rule, supply Status=absent

example

policies:
  - name: s3-apply-lifecycle
    resource: s3
    actions:
      - type: configure-lifecycle
        rules:
          - ID: my-lifecycle-id
            Status: Enabled
            Prefix: foo/
            Transitions:
              - Days: 60
                StorageClass: GLACIER
properties:
  rules:
    items:
      additionalProperties: false
      properties:
        AbortIncompleteMultipartUpload:
          additionalProperties: false
          properties:
            DaysAfterInitiation:
              type: integer
          type: object
        Expiration:
          additionalProperties: false
          properties:
            Date:
              type: string
            Days:
              type: integer
            ExpiredObjectDeleteMarker:
              type: boolean
          type: object
        Filter:
          additionalProperties: false
          maxProperties: 1
          minProperties: 1
          properties:
            And:
              additionalProperties: false
              properties:
                Prefix:
                  type: string
                Tags:
                  items:
                    additionalProperties: false
                    properties:
                      Key:
                        type: string
                      Value:
                        type: string
                    required:
                    - Key
                    - Value
                    type: object
                  type: array
              type: object
            Prefix:
              type: string
            Tag:
              additionalProperties: false
              properties:
                Key:
                  type: string
                Value:
                  type: string
              required:
              - Key
              - Value
              type: object
          type: object
        ID:
          type: string
        NoncurrentVersionExpiration:
          additionalProperties: false
          properties:
            NoncurrentDays:
              type: integer
          type: object
        NoncurrentVersionTransitions:
          items:
            additionalProperties: false
            properties:
              NoncurrentDays:
                type: integer
              StorageClass:
                type: string
            type: object
          type: array
        Prefix:
          type: string
        Status:
          enum:
          - Enabled
          - Disabled
          - absent
        Transitions:
          items:
            additionalProperties: false
            properties:
              Date:
                type: string
              Days:
                type: integer
              StorageClass:
                type: string
            type: object
          type: array
      required:
      - ID
      - Status
      type: object
    type: array
  type:
    enum:
    - configure-lifecycle
required:
- type

Permissions - s3:GetLifecycleConfiguration, s3:PutLifecycleConfiguration

delete

Action deletes a S3 bucket

example

policies:
  - name: delete-unencrypted-buckets
    resource: s3
    filters:
      - type: missing-statement
        statement_ids:
          - RequiredEncryptedPutObject
    actions:
      - type: delete
        remove-contents: true
properties:
  remove-contents:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - s3:*

delete-bucket-notification

Action to delete S3 bucket notification configurations

properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
    - items:
        type: string
      type: array
  type:
    enum:
    - delete-bucket-notification
required:
- statement_ids
- type

Permissions - s3:PutBucketNotification

delete-global-grants

Deletes global grants associated to a S3 bucket

example

policies:
  - name: s3-delete-global-grants
    resource: s3
    filters:
      - type: global-grants
    actions:
      - delete-global-grants
properties:
  grantees:
    items:
      type: string
    type: array
  type:
    enum:
    - delete-global-grants
required:
- type

Permissions - s3:PutBucketAcl

encrypt-keys

Action to encrypt unencrypted S3 objects

example

policies:
  - name: s3-encrypt-objects
    resource: s3
    actions:
      - type: encrypt-keys
        crypto: aws:kms
        key-id: 9c3983be-c6cf-11e6-9d9d-cec0c932ce01
dependencies:
  key-id:
    properties:
      crypto:
        pattern: aws:kms
    required:
    - crypto
properties:
  crypto:
    enum:
    - AES256
    - aws:kms
  glacier:
    type: boolean
  key-id:
    type: string
  large:
    type: boolean
  report-only:
    type: boolean
  type:
    enum:
    - encrypt-keys

Permissions - s3:GetObject, s3:PutObject, s3:DeleteObjectVersion, s3:RestoreObject, s3:ListBucket

encryption-policy

Action to apply an encryption policy to S3 buckets

example

policies:
  - name: s3-enforce-encryption
    resource: s3
    mode:
      type: cloudtrail
      events:
        - CreateBucket
    actions:
      - encryption-policy
properties:
  type:
    enum:
    - encryption-policy
required:
- type

Permissions - s3:GetBucketPolicy, s3:PutBucketPolicy

no-op

Parent base class for filters and actions.

properties:
  type:
    enum:
    - no-op
required:
- type

Permissions - s3:ListAllMyBuckets

remove-statements

Action to remove policy statements from S3 buckets

example

policies:
  - name: s3-remove-encrypt-put
    resource: s3
    filters:
      - type: has-statement
        statement_ids:
          - RequireEncryptedPutObject
    actions:
      - type: remove-statements
        statement_ids:
          - RequiredEncryptedPutObject
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

Permissions - s3:PutBucketPolicy, s3:DeleteBucketPolicy

remove-website-hosting

Action that removes website hosting configuration.

properties:
  type:
    enum:
    - remove-website-hosting
required:
- type

Permissions - s3:DeleteBucketWebsite

set-bucket-encryption

Action enables default encryption on S3 buckets

enabled: boolean Optional: Defaults to True crypto: aws:kms | AES256` Optional: Defaults to AES256 key: arn, alias, or kms id key

example

policies:
  - name: s3-enable-default-encryption-kms
    resource: s3
    actions:
      - type: set-bucket-encryption
      # enabled: true <------ optional (true by default)
        crypto: aws:kms
        key: 1234abcd-12ab-34cd-56ef-1234567890ab

  - name: s3-enable-default-encryption-kms-alias
    resource: s3
    actions:
      - type: set-bucket-encryption
      # enabled: true <------ optional (true by default)
        crypto: aws:kms
        key: alias/some/alias/key

  - name: s3-enable-default-encryption-aes256
    resource: s3
    actions:
      - type: set-bucket-encryption
      # crypto: AES256 <----- optional (AES256 by default)
      # enabled: true <------ optional (true by default)

  - name: s3-disable-default-encryption
    resource: s3
    actions:
      - type: set-bucket-encryption
        enabled: false
dependencies:
  key:
    properties:
      crypto:
        pattern: aws:kms
    required:
    - crypto
properties:
  crypto:
    enum:
    - aws:kms
    - AES256
  enabled:
    type: boolean
  key:
    type: string
  type:
    enum:
    - set-bucket-encryption

Permissions - s3:PutEncryptionConfiguration, s3:GetEncryptionConfiguration, kms:ListAliases, kms:DescribeKey

set-inventory

Configure bucket inventories for an s3 bucket.

properties:
  destination:
    description: Name of destination bucket
    type: string
  encryption:
    enum:
    - SSES3
    - SSEKMS
  fields:
    items:
      enum:
      - Size
      - LastModifiedDate
      - StorageClass
      - ETag
      - IsMultipartUploaded
      - ReplicationStatus
      - EncryptionStatus
      - ObjectLockRetainUntilDate
      - ObjectLockMode
      - ObjectLockLegalHoldStatus
      - IntelligentTieringAccessTier
    type: array
  format:
    enum:
    - CSV
    - ORC
    - Parquet
  key_id:
    description: Optional Customer KMS KeyId for SSE-KMS
    type: string
  name:
    description: Name of inventory
    type: string
  prefix:
    description: Destination prefix
    type: string
  schedule:
    enum:
    - Daily
    - Weekly
  state:
    enum:
    - enabled
    - disabled
    - absent
  type:
    enum:
    - set-inventory
  versions:
    enum:
    - All
    - Current
required:
- name
- destination
- type

Permissions - s3:PutInventoryConfiguration, s3:GetInventoryConfiguration

set-public-block

Action to update Public Access blocks on S3 buckets

If no action parameters are provided all settings will be set to the state, which defaults

If action parameters are provided, those will be set and other extant values preserved.

example

policies:
  - name: s3-public-block-enable-all
    resource: s3
    filters:
      - type: check-public-block
    actions:
      - type: set-public-block

policies:
  - name: s3-public-block-disable-all
    resource: s3
    filters:
      - type: check-public-block
    actions:
      - type: set-public-block
        state: false

policies:
  - name: s3-public-block-enable-some
    resource: s3
    filters:
      - or:
        - type: check-public-block
          BlockPublicAcls: false
        - type: check-public-block
          BlockPublicPolicy: false
    actions:
      - type: set-public-block
        BlockPublicAcls: true
        BlockPublicPolicy: true
properties:
  BlockPublicAcls:
    type: boolean
  BlockPublicPolicy:
    type: boolean
  IgnorePublicAcls:
    type: boolean
  RestrictPublicBuckets:
    type: boolean
  state:
    default: true
    type: boolean
  type:
    enum:
    - set-public-block
required:
- type

Permissions - s3:GetBucketPublicAccessBlock, s3:PutBucketPublicAccessBlock

set-replication

Action to add or remove replication configuration statement from S3 buckets

example

policies:
  - name: s3-unapproved-account-replication
    resource: s3
    filters:
      - type: value
        key: Replication.ReplicationConfiguration.Rules[].Destination.Account
        value: present
      - type: value
        key: Replication.ReplicationConfiguration.Rules[].Destination.Account
        value_from:
          url: 's3:///path/to/file.json'
          format: json
          expr: "approved_accounts.*"
        op: ni
    actions:
      - type: set-replication
        state: enable
properties:
  state:
    enum:
    - enable
    - disable
    - remove
    type: string
  type:
    enum:
    - set-replication
required:
- type

Permissions - s3:GetReplicationConfiguration, s3:PutReplicationConfiguration

set-statements

Action to add or update policy statements to S3 buckets

example

policies:
  - name: force-s3-https
    resource: s3
    actions:
      - type: set-statements
        statements:
          - Sid: "DenyHttp"
            Effect: "Deny"
            Action: "s3:GetObject"
            Principal:
              AWS: "*"
            Resource: "arn:aws:s3:::{bucket_name}/*"
            Condition:
              Bool:
                "aws:SecureTransport": false
properties:
  statements:
    items:
      oneOf:
      - required:
        - Principal
        - Action
        - Resource
      - required:
        - NotPrincipal
        - Action
        - Resource
      - required:
        - Principal
        - NotAction
        - Resource
      - required:
        - NotPrincipal
        - NotAction
        - Resource
      - required:
        - Principal
        - Action
        - NotResource
      - required:
        - NotPrincipal
        - Action
        - NotResource
      - required:
        - Principal
        - NotAction
        - NotResource
      - required:
        - NotPrincipal
        - NotAction
        - NotResource
      properties:
        Action:
          anyOf:
          - type: string
          - type: array
        Condition:
          type: object
        Effect:
          enum:
          - Allow
          - Deny
          type: string
        NotAction:
          anyOf:
          - type: string
          - type: array
        NotPrincipal:
          anyOf:
          - type: object
          - type: array
        NotResource:
          anyOf:
          - type: string
          - type: array
        Principal:
          anyOf:
          - type: string
          - type: object
          - type: array
        Resource:
          anyOf:
          - type: string
          - type: array
        Sid:
          type: string
      required:
      - Sid
      - Effect
      type: object
    type: array
  type:
    enum:
    - set-statements
required:
- type

Permissions - s3:PutBucketPolicy

toggle-logging

Action to enable/disable logging on a S3 bucket.

Target bucket ACL must allow for WRITE and READ_ACP Permissions Not specifying a target_prefix will default to the current bucket name. https://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-programming.html

example

policies:
  - name: s3-enable-logging
    resource: s3
    filters:
      - "tag:Testing": present
    actions:
      - type: toggle-logging
        target_bucket: log-bucket
        target_prefix: logs123/

policies:
  - name: s3-force-standard-logging
    resource: s3
    filters:
      - type: bucket-logging
        op: not-equal
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{account}/{source_bucket_name}/"
    actions:
      - type: toggle-logging
        target_bucket: "{account_id}-{region}-s3-logs"
        target_prefix: "{account}/{source_bucket_name}/"
properties:
  enabled:
    type: boolean
  target_bucket:
    type: string
  target_prefix:
    type: string
  type:
    enum:
    - toggle-logging
required:
- type

Permissions - s3:PutBucketLogging, iam:ListAccountAliases

toggle-versioning

Action to enable/suspend versioning on a S3 bucket

Note versioning can never be disabled only suspended.

example

policies:
  - name: s3-enable-versioning
    resource: s3
    filters:
      - or:
        - type: value
          key: Versioning.Status
          value: Suspended
        - type: value
          key: Versioning.Status
          value: absent
    actions:
      - type: toggle-versioning
        enabled: true
properties:
  enabled:
    type: boolean
  type:
    enum:
    - toggle-versioning
required:
- type

Permissions - s3:PutBucketVersioning