@turbot/aws-s3

The aws-s3 mod contains resource, control and policy definitions for AWS S3 service.

Version
5.24.1
Released On
May 24, 2024

Resource Types

Control Types

Policy Types

Release Notes

5.24.1 (2024-05-24)

Bug fixes

  • The AWS > S3 > Bucket > Access Logging control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.
  • Guardrails failed to process the real-time event s3:PutBucketReplication for buckets. This is now fixed.

5.24.0 (2024-03-05)

What's new?

  • The AWS > S3 > Bucket CMDB data will now also include information about Bucket Intelligent Tiering Configuration.

Bug fixes

  • A few policy values in the AWS > S3 > Bucket > Encyprion at Rest policy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS.

    | Deprecated Values
    |- | Check: None
    | Check: None or higher
    | Enforce: None
    | Enforce: None or higher

5.23.1 (2024-02-28)

Bug fixes

  • In a previous version (v5.6.2), we introduced a change in the AWS > S3 > Bucket > Encryption in Transit and AWS > S3 > Bucket > Encryption at Rest control to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.

5.23.0 (2023-10-09)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

Action Types

  • AWS > S3 > Bucket > Delete from AWS

5.22.0 (2023-09-06)

What's new?

  • AWS/S3/Admin and AWS/S3/Metadata now include permissions for Multi-Region Access Point Routes.

5.21.0 (2023-05-29)

What's new?

  • Resource's metadata will now also include createdBy details in Guardrails CMDB.

5.20.0 (2023-04-06)

What's new?

  • Added support for aws_s3_bucket_policy Terraform resource for AWS > S3 > Bucket.

Bug fixes

  • We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.19.0 (2023-03-15)

What's new?

  • Added support for aws_s3_bucket_lifecycle_configuration and aws_s3_bucket_acl Terraform resources for AWS > S3 > Bucket.

5.18.0 (2022-12-08)

What's new?

  • Users can now validate Principal Organization Paths (aws:PrincipalOrgPaths) in bucket policy conditions. To get started, set the AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions policy.

Policy Types

  • AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions

5.17.3 (2022-11-01)

Bug fixes

  • The AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions policy now also supports ForAnyValue:StringLike operator for the aws:PrincipalOrgPaths condition.

5.17.2 (2022-08-23)

Action Types

Removed

  • AWS > S3 > Bucket > Disable Encryption in Transit

5.17.1 (2022-08-18)

Bug fixes

  • The AWS > S3 > Bucket > Disable all Block Public Access settings and AWS > S3 > Bucket > Enable all Block Public Access settings quick actions would not show up on the Guardrails console due to incorrect internal references. This is fixed and you will now be able to Enable/Disable Block Public Access settings on S3 Buckets with a click of a button.

5.17.0 (2022-07-25)

What's new?

  • In v5.6.0, we deprecated the AWS > S3 > Bucket > Policy Statements > Approved control and its policies in favour of the new AWS > S3 > Bucket > Policy > Trusted Access control; however, because the AWS > S3 > Bucket > Policy Statements > Approved > Rules policy adds Object Control List (OCL) functionality which is not available in AWS > S3 > Bucket > Policy > Trusted Access > Approved control, this policy is still useful.

    The AWS > S3 > Bucket > Policy Statements > Approved control, and the AWS > S3 > Bucket > Policy Statements > Approved > Rules, AWS > S3 > Bucket > Policy Statements > Approved > Encryption In Transit, AWS > S3 > Bucket > Policy Statements > Approved > Encryption At Rest and AWS > S3 > Bucket > Policy Statements > Approved > Compiled Rules policies are no longer considered deprecated and are available for use again.

Control Types

Renamed

  • AWS > S3 > Bucket > Policy Statements [Deprecated] to AWS > S3 > Bucket > Policy Statements
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved

Policy Types

Renamed

  • AWS > S3 > Bucket > Policy Statements [Deprecated] to AWS > S3 > Bucket > Policy Statements
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption at Rest [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption in Transit [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Rules
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] > Compiled Rules [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts [Deprecated]
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers [Deprecated]
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services [Deprecated]

5.16.0 (2022-07-19)

Action Types

  • AWS > S3 > Bucket > Disable Encryption in Transit
  • AWS > S3 > Bucket > Disable all Block Public Access settings
  • AWS > S3 > Bucket > Enable Encryption in Transit
  • AWS > S3 > Bucket > Enable all Block Public Access settings
  • AWS > S3 > Bucket > Set Encryption at Rest to AWS Managed Key
  • AWS > S3 > Bucket > Set Encryption at Rest to AWS SSE
  • AWS > S3 > Bucket > Set Encryption at Rest to Customer Managed Key
  • AWS > S3 > Bucket > Set Encryption at Rest to None

5.15.1 (2022-07-13)

Bug fixes

  • The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.

5.15.0 (2022-07-12)

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Guardrails alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Action Types

  • AWS > S3 > Bucket > Disable Versioning
  • AWS > S3 > Bucket > Enable Versioning
  • AWS > S3 > Bucket > Set Tags
  • AWS > S3 > Bucket > Skip alarm for Active control
  • AWS > S3 > Bucket > Skip alarm for Active control [90 days]
  • AWS > S3 > Bucket > Skip alarm for Approved control
  • AWS > S3 > Bucket > Skip alarm for Approved control [90 days]
  • AWS > S3 > Bucket > Skip alarm for Encryption at Rest control
  • AWS > S3 > Bucket > Skip alarm for Encryption at Rest control [90 days]
  • AWS > S3 > Bucket > Skip alarm for Tags control
  • AWS > S3 > Bucket > Skip alarm for Tags control [90 days]

5.14.0 (2022-06-01)

What's new?

  • The AWS > S3 > Bucket CMDB will now also include information about Object Lock Configuration on the bucket.

5.13.0 (2022-02-14)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Guardrails if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Guardrails. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.

Policy Types

  • AWS > S3 > Bucket > Approved > Custom

5.12.0 (2022-01-04)

What's new?

  • AWS/S3/Admin and AWS/S3/Metadata now include permissions for Access Point, Bucket Intelligent Tiering Configuration and Bucket Ownership Controls.

5.11.0 (2021-07-20)

What's new?

  • AWS/S3 permission levels now include Job, Object Lock Config, Public Access Block and Replicate related permissions.

5.10.0 (2021-07-09)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.9.0 (2021-06-24)

What's new?

  • AWS/S3/Admin now includes storage lens management permissions.

5.8.1 (2021-04-27)

Bug fixes

  • We've improved the descriptions for AWS > S3 > Bucket > Public Access Block > Settings and AWS > S3 > Account > Public Access Block > Settings policies to clearly indicate what each policy value means.

5.8.0 (2021-02-18)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

  • The AWS > S3 > Bucket > Active control will now check if an inactive bucket is empty before attempting to delete it to avoid errors.

5.7.0 (2021-02-05)

What's new?

  • In a previous version, we added the AWS > S3 > Bucket > Policy > Trusted Access control to help you manage who can access your buckets based on their bucket policies. To further help you secure your buckets, we've added the AWS > S3 > Bucket > ACL > Trusted Access control, which allows you to configure which AWS accounts and groups can be granted access through the bucket's access control list (ACL).

    To get started with this new control, please review the AWS > S3 > Bucket > ACL > Trusted Access policy and its subpolicies.

Control Types

  • AWS > S3 > Bucket > ACL
  • AWS > S3 > Bucket > ACL > Trusted Access

Policy Types

  • AWS > S3 > Bucket > ACL
  • AWS > S3 > Bucket > ACL > Trusted Access
  • AWS > S3 > Bucket > ACL > Trusted Access > Canonical IDs
  • AWS > S3 > Bucket > ACL > Trusted Access > Groups

Action Types

  • AWS > S3 > Bucket > Set ACL Trusted Access

5.6.6 (2021-01-14)

Bug fixes

  • The AWS > S3 > Bucket > CMDB control will now show a proper error message if we are unable to call s3:HeadBucket due to a Forbidden error.

5.6.5 (2021-01-07)

What's new?

  • The AWS > S3 > Bucket > Public Access Block control will now display the result for each public access block setting in the control data to easily identify if any setting is not set according to the AWS > S3 > Bucket > Public Access Block > Settings policy.

5.6.4 (2020-12-28)

Bug fixes

  • We've improved the consistency of error notification messages for several bucket controls, like the AWS > S3 > Bucket > Public Access Block control.

5.6.3 (2020-12-17)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.
  • The AWS > S3 > Policy Statements [Deprecated] > Approved [Deprecated] policy description had incorrect references to VPC security groups. This issue has now been fixed.

5.6.2 (2020-12-11)

Bug fixes

  • For buckets created via a CloudFormation stack, the AWS > S3 > Bucket > Encryption at Rest and AWS > S3 > Bucket > Encryption in Transit controls would sometimes create their bucket policies before the stack finished creating its bucket policies. This would result in the CloudFormation stack rolling back due to a bucket policy conflict. This issue is now fixed and the controls will now wait a few minutes before creating or updating bucket policies on new S3 buckets created through CloudFormation stacks to prevent conflicts.

5.6.1 (2020-12-07)

Bug fixes

  • We've optimized the GraphQL queries for various controls when they're in the tbd and skipped states. You won't notice any difference but they should run a lot lighter now.

5.6.0 (2020-12-04)

Warning

  • The AWS > S3 > Bucket > Policy Statements > Approved control has been deprecated and replaced by the AWS > S3 > Bucket > Policy > Trusted Access control. In the next major version (v6.0.0), the AWS > S3 > Bucket > Policy Statements > Approved control will be removed.

    Please note that a key difference between these controls is that the new AWS > S3 > Bucket > Policy > Trusted Access control will only check bucket policy statements that grant access with "Effect": "Allow", so statements like Guardrails' encryption in transit statement that denies any S3 action not using aws:SecureTransport will not be checked by this control.

    We recommend that you migrate any AWS > S3 > Bucket > Policy Statements > Approved policy settings currently set in your workspace to instead use the new AWS > S3 > Bucket > Policy > Trusted Access policies based on the mappings below:

    Old PolicyNew Policy
    AWS > S3 > Bucket > Policy Statements > ApprovedAWS > S3 > Bucket > Policy > Trusted Access
    AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity ProvidersAWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
    AWS > S3 > Bucket > Policy Statements > Approved > Trusted AccountsAWS > S3 > Bucket > Policy > Trusted Access > Accounts
    AWS > S3 > Bucket > Policy Statements > Approved > Trusted ServicesAWS > S3 > Bucket > Policy > Trusted Access > Services
    AWS > S3 > Bucket > Policy Statements > Approved > Encryption at RestAWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
    AWS > S3 > Bucket > Policy Statements > Approved > Encryption in TransitN/A
    AWS > S3 > Bucket > Policy Statements > Approved > RulesN/A
    N/AAWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
    N/AAWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions

Bug fixes

  • We've updated various resources' Discovery and CMDB controls to ensure array properties are consistently sorted in the CMDB.

Control Types

  • AWS > S3 > Bucket > Policy
  • AWS > S3 > Bucket > Policy > Trusted Access

Renamed

  • AWS > S3 > Bucket > Policy Statements to AWS > S3 > Bucket > Policy Statements [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated]

Policy Types

  • AWS > S3 > Bucket > Policy
  • AWS > S3 > Bucket > Policy > Trusted Access
  • AWS > S3 > Bucket > Policy > Trusted Access > Accounts
  • AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
  • AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
  • AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
  • AWS > S3 > Bucket > Policy > Trusted Access > Services
  • AWS > S3 > Trusted Accounts [Default]
  • AWS > S3 > Trusted Identity Providers [Default]
  • AWS > S3 > Trusted Organizations [Default]
  • AWS > S3 > Trusted Services [Default]

Renamed

  • AWS > S3 > Bucket > Policy Statements to AWS > S3 > Bucket > Policy Statements [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption at Rest [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption in Transit [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Rules to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] > Compiled Rules [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated]

Action Types

  • AWS > S3 > Bucket > Set Policy Trusted Access

5.5.5 (2020-11-02)

Bug fixes

5.5.4 (2020-10-30)

Bug fixes

  • We've updated the AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts policy to only accept valid values in the form of AWS account IDs as strings or integers.

5.5.3 (2020-10-28)

Bug fixes

  • We've fixed an issue that caused the AWS > S3 > Bucket > Policy Statements > Approved control to incorrectly parse any bucket policy statements that contained a principal with a CloudFront Origin Access Identity user ARN, e.g., arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH1HDMB1FH2TC.
  • In several recent versions, we had released changes that we thought had fixed an error upserting a large amount of buckets in the AWS > S3 > Bucket > Discovery control. Turns out we were wrong and the issue still persists. Now we've included another fix that really should resolve the error and get the control running smoothly again.

5.5.2 (2020-10-27)

Bug fixes

  • We have made further improvements to AWS > S3 > Bucket > Discovery controls to ensure that they can handle large upserts into our CMDB more reliably without running into errors.

5.5.1 (2020-10-21)

Bug fixes

  • AWS > S3 > Bucket > Discovery controls would sometimes go into an error state when we tried to upsert a large number of buckets into our CMDB. This issue has now been fixed.

5.5.0 (2020-10-15)

What's new?

  • The title of AWS > S3 > Bucket > Policy Statements > Approvedcontrol has been renamed to be consistent with other policy types & control types.

Control Types

Renamed

  • AWS > S3 > Bucket > Policy to AWS > S3 > Bucket > Policy Statements
  • AWS > S3 > Bucket > Policy > Approved to AWS > S3 > Bucket > Policy Statements > Approved

5.4.4 (2020-10-14)

Bug fixes

  • The CMDB data for buckets now always includes the Versioning.MFADelete property, which is set to Disabled by default (in the case that MFA delete has never been enabled before for the bucket).

5.4.3 (2020-09-22)

Bug fixes

  • We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.4.2 (2020-09-15)

Bug fixes

  • The descriptions of controls and policies of AWS > S3 > Bucket > Encryption at Rest and AWS > S3 > Bucket > Encryption in Transit have been improved to provide more details about their usage.

5.4.1 (2020-09-08)

Bug fixes

  • After creating an S3 bucket with the same properties as an existing one, AWS will send a successful CloudTrail event instead of returning an error that the bucket already exists. When we received such events, the real-time event handler for buckets did not handle it properly, resulting in the metadata create timestamp getting updated incorrectly for the bucket and its policy. We now handle these events better and will not update metadata create timestamps for existing buckets and their policies.

5.4.0 (2020-09-03)

What's new?

  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

5.3.11 (2020-08-14)

Bug fixes

  • The Policy field for bucket resources is now properly and consistently sorted.

5.3.10 (2020-08-11)

Bug fixes

  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.3.9 (2020-08-11)

Bug fixes

  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

5.3.8 (2020-07-29)

Bug fixes

  • AWS > S3 > Bucket > Access Logging control will now remain in skipped state for Guardrails managed logging buckets.

5.3.7 (2020-07-13)

Bug fixes

  • Updated various resource configurations to provide better compatibility with AWS China regions.

5.3.6 (2020-07-11)

Bug fixes

  • In AWS China, the GetBucketAccelerateConfiguration API is not supported and throws an error if invoked. The AWS > S3 > Bucket > CMDB control was not handling this error correctly, which caused the control to move to error. We've fixed this issue and the control is running smoothly again.

5.3.5 (2020-07-09)

Bug fixes

  • When listing buckets through the AWS S3 API, the S3 service returns different results for the CreationDate based on the endpoint queried. Only queries to the endpoints in the S3 master regions (us-east-1, us-gov-west-1, cn-north-1) actually return the CreationDate, other endpoints incorrectly return the last modified timestamp. Our AWS > S3 > Bucket > Discovery control made this API call without using the S3 master region endpoint, so the CreationDate property may have been incorrectly set to the (always later) last modified date. This has been fixed and now all buckets will first try to use the S3 master region and fall back to the specific region the control is running in when listing buckets. The CreationDate property will now have the correct timestamp, unless access to the S3 master region is blocked in that account.

5.3.4 (2020-07-02)

Bug fixes

  • While attempting to remove unapproved bucket policy statements in the AWS > S3 > Bucket > Policy > Approved control, sometimes we would fail to remove statements that contained Principal: "*". This issue has been fixed.

5.3.3 (2020-06-29)

Bug fixes

  • A duplicate permission in S3 was causing the AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3 policy to fail compilation. This duplicate permission has been removed and the policy can compile again.

5.3.2 (2020-06-26)

Bug fixes

  • Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.3.1 (2020-06-26)

Bug fixes

  • Several real-time events for buckets were not being handled properly, which sometimes resulted in outdated CMDB entries. These events included updates to CORS configurations, lifecycle rules, replication rules, and bucket public access block configurations. This issue has been fixed and all of these events now trigger CMDB updates properly.
  • Several bucket CMDB properties were not being updated properly if they were enabled and then disabled in the AWS console. For instance, if default encryption was set to AES-256 and then set to None, the bucket's CMDB entry would still have data indicating default encryption was AES-256. This issue has been fixed and all properties should reflect the resource's current state.
  • The AWS > S3 > Bucket > Encryption at Rest control would sometimes go into error state when a bucket was first created, even if the AWS > S3 > Bucket > Encryption at Rest policy was set to Skip. This has been fixed.

Policy Types

Renamed

  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > S3 to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3

5.3.0 (2020-06-18)

Control Types

  • AWS > S3 > Bucket > Access Logging

Policy Types

  • AWS > S3 > Bucket > Access Logging
  • AWS > S3 > Bucket > Access Logging > Bucket
  • AWS > S3 > Bucket > Access Logging > Key Prefix

Action Types

  • AWS > S3 > Bucket > Update Access Logging

5.2.0 (2020-06-15)

Policy Types

  • AWS > S3 > Bucket > Active > Budget
  • AWS > S3 > Bucket > Approved > Budget

Action Types

  • AWS > S3 > Bucket > Set Encryption in Transit

Removed

  • AWS > S3 > Bucket > Set Encryption At Transit

5.1.7 (2020-05-07)

Bug fixes

  • The AWS > S3 > Bucket > Encryption at Rest control would not update the bucket policy with the intended encryption at rest settings if the bucket did not have an existing bucket policy. This has been fixed.
  • When the AWS > S3 > Bucket > Encryption at Rest policy was set to Enforce: AWS managed key, the control was incorrectly adding a bucket policy statement that would only allow the KMS key in the AWS > S3 > Bucket > Encryption at Rest > Customer Managed Key policy, instead of only allowing the AWS KMS key. This statement has been fixed and is now enforcing the correct encryption at rest setting.
  • When the AWS > S3 > Bucket > Encryption at Rest policy was set to Enforce: Customer managed key, the control was incorrectly adding a bucket policy statement that would deny the KMS key in the AWS > S3 > Bucket > Encryption at Rest > Customer Managed Key policy, instead of denying the AWS KMS key. This statement has been fixed and is now enforcing the correct encryption at rest setting.

Policy Types

Renamed

  • AWS > S3 > Bucket > Configured > Precedence to AWS > S3 > Bucket > Configured > Claim Precedence