S3 bucket policies - support for custom policies and guardrails

Turbot Guardrails now supports custom S3 bucket policies and has added new guardrails to restrict anonymous and cross-account bucket access. Users with AWS/S3/Admin permissions can create, update, and delete bucket policies for all buckets in their account (except for the regional Guardrails logging buckets).

Adding Bucket Policies

Here's how you can add a custom bucket policy to a bucket in an account that has the "S3 > Encryption at Transit" option enabled.

Start by selecting the S3 bucket, expand Permissions, and click on Edit bucket policy (or Add bucket policy):

You should already see the bucket policy enforcing encryption in transit:

Add your own statements to the bucket policy and then Save your changes:

Example bucket policies are available from AWS to help users get started.

Anonymous and Cross-Account Access Guardrails

Cluster administrators can restrict anonymous and cross-account access through S3 options:

If either option is set to Repair, any prohibited access will be denied and the policies will need to be cleaned up manually.

Turbot Guardrails recommends restricting anonymous and cross-account access unless there is a specific requirement to allow them.