@turbot/aws-s3
The aws-s3 mod contains resource, control and policy definitions for AWS S3 service.
Resource Types
Resource types covered by this mod:
Permissions
Taking a look at permissions and associated grant levels for each permission for S3:
| Permission | Grant Level | Help |
|---|---|---|
| s3:AbortMultipartUpload | Operator | |
| s3:BypassGovernanceRetention | Admin | |
| s3:CreateAccessPoint | Admin | |
| s3:CreateAccessPointForObjectLambda | Admin | |
| s3:CreateBucket | Operator | |
| s3:CreateJob | Operator | |
| s3:CreateMultiRegionAccessPoint | Admin | |
| s3:DeleteAccessPoint | Admin | |
| s3:DeleteAccessPointForObjectLambda | Admin | |
| s3:DeleteAccessPointPolicy | Admin | |
| s3:DeleteAccessPointPolicyForObjectLambda | Admin | |
| s3:DeleteAccountPublicAccessBlock | Admin | |
| s3:DeleteBucket | Operator | |
| s3:DeleteBucketCors | Admin | TEMPORARY permission since CloudTrail events are different |
| s3:DeleteBucketEncryption | Admin | TEMPORARY permission since CloudTrail events are different |
| s3:DeleteBucketLifecycle | Admin | TEMPORARY permission since CloudTrail events are different |
| s3:DeleteBucketLifecycleConfiguration | Admin | |
| s3:DeleteBucketOwnershipControls | Admin | |
| s3:DeleteBucketPolicy | Admin | |
| s3:DeleteBucketReplication | Admin | TEMPORARY permission since CloudTrail events are different |
| s3:DeleteBucketTagging | Operator | TEMPORARY permission since CloudTrail events are different |
| s3:DeleteBucketWebsite | Admin | Website management is safe but requires anonymous access to be granted to the bucket for it to work. |
| s3:DeleteJobTagging | Admin | |
| s3:DeleteMultiRegionAccessPoint | Admin | |
| s3:DeleteObject | Operator | |
| s3:DeleteObjectVersion | Operator | |
| s3:DeleteObjectVersionTagging | Operator | |
| s3:DeletePublicAccessBlock | Admin | |
| s3:DeleteReplicationConfiguration | Whitelist | Admins can delete the replication configuration set for the bucket. |
| s3:DeleteStorageLensConfiguration | Admin | |
| s3:DeleteStorageLensConfigurationTagging | Admin | |
| s3:DescribeJob | Metadata | |
| s3:DescribeMultiRegionAccessPointOperation | Metadata | |
| s3:GetAccelerateConfiguration | Metadata | |
| s3:GetAccessPoint | Metadata | |
| s3:GetAccessPointConfigurationForObjectLambda | Metadata | |
| s3:GetAccessPointForObjectLambda | Metadata | |
| s3:GetAccessPointPolicy | Metadata | |
| s3:GetAccessPointPolicyForObjectLambda | Metadata | |
| s3:GetAccessPointPolicyStatus | Metadata | |
| s3:GetAccessPointPolicyStatusForObjectLambda | Metadata | |
| s3:GetAccountPublicAccessBlock | Metadata | |
| s3:GetAnalyticsConfiguration | Metadata | Covers ListAnalyticsConfigurations. |
| s3:GetBucket | Metadata | |
| s3:GetBucketAcl | Metadata | |
| s3:GetBucketCORS | Metadata | |
| s3:GetBucketIntelligentTieringConfiguration | Metadata | |
| s3:GetBucketLocation | Metadata | |
| s3:GetBucketLogging | Metadata | |
| s3:GetBucketNotification | Metadata | |
| s3:GetBucketObjectLockConfiguration | Metadata | |
| s3:GetBucketOwnershipControls | Metadata | |
| s3:GetBucketPolicy | Metadata | |
| s3:GetBucketPolicyStatus | Metadata | |
| s3:GetBucketPublicAccessBlock | Metadata | |
| s3:GetBucketReplication | Metadata | |
| s3:GetBucketRequestPayment | Metadata | |
| s3:GetBucketTagging | Metadata | |
| s3:GetBucketVersioning | Metadata | |
| s3:GetBucketWebsite | Metadata | |
| s3:GetEncryptionConfiguration | Metadata | |
| s3:GetIntelligentTieringConfiguration | Metadata | |
| s3:GetInventoryConfiguration | Metadata | Covers ListInventoryConfigurations. |
| s3:GetJobTagging | Metadata | |
| s3:GetLifecycleConfiguration | Metadata | |
| s3:GetMetricsConfiguration | Metadata | Covers ListMetricsConfigurations. |
| s3:GetMultiRegionAccessPoint | Metadata | |
| s3:GetMultiRegionAccessPointPolicy | Metadata | |
| s3:GetMultiRegionAccessPointPolicyStatus | Metadata | |
| s3:GetMultiRegionAccessPointRoutes | Metadata | |
| s3:GetObject | ReadOnly | |
| s3:GetObjectAcl | Metadata | |
| s3:GetObjectLegalHold | Metadata | |
| s3:GetObjectLockConfiguration | Metadata | |
| s3:GetObjectRetention | Metadata | |
| s3:GetObjectTagging | Metadata | |
| s3:GetObjectTorrent | ReadOnly | |
| s3:GetObjectVersion | ReadOnly | |
| s3:GetObjectVersionAcl | Metadata | |
| s3:GetObjectVersionForReplication | ReadOnly | |
| s3:GetObjectVersionTagging | Metadata | Retrieves tags of earlier object version. - http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGETtagging.html. |
| s3:GetObjectVersionTorrent | ReadOnly | |
| s3:GetPublicAccessBlock | Metadata | |
| s3:GetReplicationConfiguration | Metadata | |
| s3:GetStorageLensConfiguration | Metadata | |
| s3:GetStorageLensConfigurationTagging | Metadata | |
| s3:GetStorageLensDashboard | Metadata | |
| s3:HeadBucket | Metadata | Helps to determine if a bucket exists and you have permission to access it. |
| s3:HeadObject | ReadOnly | The HEAD operation retrieves metadata from an object without returning the object itself. This depends in s3:GetObject permission. This operation is useful if you're only interested in an object's metadata. |
| s3:ListAccessPoints | Metadata | |
| s3:ListAccessPointsForObjectLambda | Metadata | |
| s3:ListAllMyBuckets | Metadata | |
| s3:ListBucket | Metadata | |
| s3:ListBucketByTags | Metadata | |
| s3:ListBucketIntelligentTieringConfigurations | Metadata | |
| s3:ListBucketMultipartUploads | Metadata | |
| s3:ListBucketVersions | Metadata | |
| s3:ListJobs | Metadata | |
| s3:ListMultipartUploadParts | Metadata | |
| s3:ListMultiRegionAccessPoints | Metadata | |
| s3:ListRegionalBuckets | Metadata | |
| s3:ListStorageLensConfigurations | Metadata | |
| s3:ObjectOwnerOverrideToBucketOwner | Admin | |
| s3:PutAccelerateConfiguration | Admin | Admins can manage transfer acceleration for buckets. |
| s3:PutAccessPointConfigurationForObjectLambda | Admin | |
| s3:PutAccessPointPolicy | Admin | |
| s3:PutAccessPointPolicyForObjectLambda | Admin | |
| s3:PutAccessPointPublicAccessBlock | Admin | |
| s3:PutAccountPublicAccessBlock | Admin | |
| s3:PutAnalyticsConfiguration | Admin | Covers DeleteAnalyticsConfiguration. |
| s3:PutBucketAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
| s3:PutBucketCORS | Whitelist | Can be used for cross-account access. |
| s3:PutBucketIntelligentTieringConfiguration | Admin | |
| s3:PutBucketLogging | Whitelist | Turbot automates logging settings. |
| s3:PutBucketNotification | Operator | |
| s3:PutBucketObjectLockConfiguration | Admin | |
| s3:PutBucketOwnershipControls | Admin | |
| s3:PutBucketPolicy | Admin | |
| s3:PutBucketPublicAccessBlock | Admin | |
| s3:PutBucketReplication | Whitelist | |
| s3:PutBucketRequestPayment | None | Can be used for cross-account access. |
| s3:PutBucketTagging | Operator | Covers DeleteBucketTagging. |
| s3:PutBucketVersioning | Operator | |
| s3:PutBucketWebsite | Admin | Website management is safe but requires anonymous access to be granted to the bucket for it to work. |
| s3:PutEncryptionConfiguration | Admin | |
| s3:PutIntelligentTieringConfiguration | Admin | |
| s3:PutInventoryConfiguration | Admin | Covers DeleteInventoryConfiguration. |
| s3:PutJobTagging | Admin | |
| s3:PutLifecycleConfiguration | Admin | Bucket management is restricted to Admins. Covers PutBucketLifecycle; PutBucketLifecycleConfiguration; DeleteBucketLifecycle. |
| s3:PutMetricsConfiguration | Admin | Covers DeleteMetricsConfiguration. |
| s3:PutMultiRegionAccessPointPolicy | Admin | |
| s3:PutObject | Operator | Covers CompleteMultipartUpload; CreateMultipartUpload; UploadPart; UploadPartCopy. |
| s3:PutObjectAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
| s3:PutObjectLegalHold | Admin | |
| s3:PutObjectLockConfiguration | Admin | |
| s3:PutObjectRetention | Operator | |
| s3:PutObjectTagging | Operator | Covers DeleteObjectTagging. |
| s3:PutObjectVersionAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
| s3:PutObjectVersionTagging | Operator | Enables to associate tag to object based on versionId. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTtagging.html. |
| s3:PutPublicAccessBlock | Admin | |
| s3:PutReplicationConfiguration | Whitelist | In a versioning-enabled bucket Admins can create a replication configuration (or replace an existing one if present) and can also be used for cross-account access. |
| s3:PutStorageLensConfiguration | Admin | |
| s3:PutStorageLensConfigurationTagging | Admin | |
| s3:ReplicateDelete | Whitelist | |
| s3:ReplicateObject | Whitelist | |
| s3:ReplicateTags | Whitelist | |
| s3:RestoreObject | Operator | |
| s3:SelectObjectContent | ReadOnly | |
| s3:SubmitMultiRegionAccessPointRoutes | Admin | |
| s3:UpdateJobPriority | Operator | |
| s3:UpdateJobStatus | Operator | |
| s3:WriteGetObjectResponse | Admin |
Learn More About Guardrails
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
Version
5.22.0
Released On
Sep 06, 2023
Depends On
@turbot/aws ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0
@turbot/aws-kms ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0
@turbot/aws-kms ^5.0.0
Resource Types
Control Types
- AWS > S3 > Account > CMDB
- AWS > S3 > Account > Discovery
- AWS > S3 > Account > Public Access Block
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
- AWS > S3 > Bucket > Access Logging
- AWS > S3 > Bucket > Active
- AWS > S3 > Bucket > Approved
- AWS > S3 > Bucket > CMDB
- AWS > S3 > Bucket > Configured
- AWS > S3 > Bucket > Discovery
- AWS > S3 > Bucket > Encryption at Rest
- AWS > S3 > Bucket > Encryption in Transit
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
- AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements > Approved
- AWS > S3 > Bucket > Public Access Block
- AWS > S3 > Bucket > Tags
- AWS > S3 > Bucket > Usage
- AWS > S3 > Bucket > Versioning
Policy Types
- AWS > S3 > API Enabled
- AWS > S3 > Account > CMDB
- AWS > S3 > Account > Public Access Block
- AWS > S3 > Account > Public Access Block > Settings
- AWS > S3 > Approved Regions [Default]
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
- AWS > S3 > Bucket > ACL > Trusted Access > Canonical IDs
- AWS > S3 > Bucket > ACL > Trusted Access > Groups
- AWS > S3 > Bucket > Access Logging
- AWS > S3 > Bucket > Access Logging > Bucket
- AWS > S3 > Bucket > Access Logging > Key Prefix
- AWS > S3 > Bucket > Active
- AWS > S3 > Bucket > Active > Age
- AWS > S3 > Bucket > Active > Budget
- AWS > S3 > Bucket > Active > Last Modified
- AWS > S3 > Bucket > Approved
- AWS > S3 > Bucket > Approved > Budget
- AWS > S3 > Bucket > Approved > Custom
- AWS > S3 > Bucket > Approved > Regions
- AWS > S3 > Bucket > Approved > Usage
- AWS > S3 > Bucket > CMDB
- AWS > S3 > Bucket > Configured
- AWS > S3 > Bucket > Configured > Claim Precedence
- AWS > S3 > Bucket > Configured > Source
- AWS > S3 > Bucket > Encryption at Rest
- AWS > S3 > Bucket > Encryption at Rest > Customer Managed Key
- AWS > S3 > Bucket > Encryption in Transit
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
- AWS > S3 > Bucket > Policy > Trusted Access > Accounts
- AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
- AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
- AWS > S3 > Bucket > Policy > Trusted Access > Services
- AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements > Approved
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit
- AWS > S3 > Bucket > Policy Statements > Approved > Rules
- AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services [Deprecated]
- AWS > S3 > Bucket > Public Access Block
- AWS > S3 > Bucket > Public Access Block > Settings
- AWS > S3 > Bucket > Regions
- AWS > S3 > Bucket > Tags
- AWS > S3 > Bucket > Tags > Template
- AWS > S3 > Bucket > Usage
- AWS > S3 > Bucket > Usage > Limit
- AWS > S3 > Bucket > Versioning
- AWS > S3 > Enabled
- AWS > S3 > Permissions
- AWS > S3 > Permissions > Levels
- AWS > S3 > Permissions > Levels > ACL Administration
- AWS > S3 > Permissions > Levels > Access Logging Administration
- AWS > S3 > Permissions > Levels > CORS Administration
- AWS > S3 > Permissions > Levels > Cross Replication Administration
- AWS > S3 > Permissions > Levels > Modifiers
- AWS > S3 > Permissions > Lockdown
- AWS > S3 > Permissions > Lockdown > API Boundary
- AWS > S3 > Regions
- AWS > S3 > Tags Template [Default]
- AWS > S3 > Trusted Accounts [Default]
- AWS > S3 > Trusted Identity Providers [Default]
- AWS > S3 > Trusted Organizations [Default]
- AWS > S3 > Trusted Services [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3
Release Notes
5.22.0 (2023-09-06)
What's new?
AWS/S3/AdminandAWS/S3/Metadatanow include permissions for Multi-Region Access Point Routes.
5.21.0 (2023-05-29)
What's new?
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
5.20.0 (2023-04-06)
What's new?
- Added support for
aws_s3_bucket_policyTerraform resource forAWS > S3 > Bucket.
Bug fixes
- We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
5.19.0 (2023-03-15)
What's new?
- Added support for
aws_s3_bucket_lifecycle_configurationandaws_s3_bucket_aclTerraform resources forAWS > S3 > Bucket.
5.18.0 (2022-12-08)
What's new?
- Users can now validate Principal Organization Paths (
aws:PrincipalOrgPaths) in bucket policy conditions. To get started, set theAWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictionspolicy.
Policy Types
Added
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions
5.17.3 (2022-11-01)
Bug fixes
- The
AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictionspolicy now also supportsForAnyValue:StringLikeoperator for theaws:PrincipalOrgPathscondition.
5.17.2 (2022-08-23)
Action Types
Removed
- AWS > S3 > Bucket > Disable Encryption in Transit
5.17.1 (2022-08-18)
Bug fixes
- The
AWS > S3 > Bucket > Disable all Block Public Access settingsandAWS > S3 > Bucket > Enable all Block Public Access settingsquick actions would not show up on the Turbot console due to incorrect internal references. This is fixed and you will now be able to Enable/Disable Block Public Access settings on S3 Buckets with a click of a button.
5.17.0 (2022-07-25)
What's new?
In v5.6.0, we deprecated the
AWS > S3 > Bucket > Policy Statements > Approvedcontrol and its policies in favour of the newAWS > S3 > Bucket > Policy > Trusted Accesscontrol; however, because theAWS > S3 > Bucket > Policy Statements > Approved > Rulespolicy adds Object Control List (OCL) functionality which is not available inAWS > S3 > Bucket > Policy > Trusted Access > Approvedcontrol, this policy is still useful.The
AWS > S3 > Bucket > Policy Statements > Approvedcontrol, and theAWS > S3 > Bucket > Policy Statements > Approved > Rules,AWS > S3 > Bucket > Policy Statements > Approved > Encryption In Transit,AWS > S3 > Bucket > Policy Statements > Approved > Encryption At RestandAWS > S3 > Bucket > Policy Statements > Approved > Compiled Rulespolicies are no longer considered deprecated and are available for use again.
Control Types
Renamed
- AWS > S3 > Bucket > Policy Statements [Deprecated] to AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved
Policy Types
Renamed
- AWS > S3 > Bucket > Policy Statements [Deprecated] to AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption at Rest [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption in Transit [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Rules
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] > Compiled Rules [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts [Deprecated]
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers [Deprecated]
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services [Deprecated]
5.16.0 (2022-07-19)
Action Types
Added
- AWS > S3 > Bucket > Disable Encryption in Transit
- AWS > S3 > Bucket > Disable all Block Public Access settings
- AWS > S3 > Bucket > Enable Encryption in Transit
- AWS > S3 > Bucket > Enable all Block Public Access settings
- AWS > S3 > Bucket > Set Encryption at Rest to AWS Managed Key
- AWS > S3 > Bucket > Set Encryption at Rest to AWS SSE
- AWS > S3 > Bucket > Set Encryption at Rest to Customer Managed Key
- AWS > S3 > Bucket > Set Encryption at Rest to None
5.15.1 (2022-07-13)
Bug fixes
- The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.
5.15.0 (2022-07-12)
What's new?
- Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information. - README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
Action Types
Added
- AWS > S3 > Bucket > Disable Versioning
- AWS > S3 > Bucket > Enable Versioning
- AWS > S3 > Bucket > Set Tags
- AWS > S3 > Bucket > Skip alarm for Active control
- AWS > S3 > Bucket > Skip alarm for Active control [90 days]
- AWS > S3 > Bucket > Skip alarm for Approved control
- AWS > S3 > Bucket > Skip alarm for Approved control [90 days]
- AWS > S3 > Bucket > Skip alarm for Encryption at Rest control
- AWS > S3 > Bucket > Skip alarm for Encryption at Rest control [90 days]
- AWS > S3 > Bucket > Skip alarm for Tags control
- AWS > S3 > Bucket > Skip alarm for Tags control [90 days]
5.14.0 (2022-06-01)
What's new?
- The
AWS > S3 > BucketCMDB will now also include information about Object Lock Configuration on the bucket.
5.13.0 (2022-02-14)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custompolicy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- We've improved the process of deleting resources from Turbot if their CMDB policy was set to
Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.
Policy Types
Added
- AWS > S3 > Bucket > Approved > Custom
5.12.0 (2022-01-04)
What's new?
AWS/S3/AdminandAWS/S3/Metadatanow include permissions for Access Point, Bucket Intelligent Tiering Configuration and Bucket Ownership Controls.
5.11.0 (2021-07-20)
What's new?
AWS/S3permission levels now includeJob,Object Lock Config,Public Access BlockandReplicaterelated permissions.
5.10.0 (2021-07-09)
What's new?
- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
5.9.0 (2021-06-24)
What's new?
AWS/S3/Adminnow includes storage lens management permissions.
5.8.1 (2021-04-27)
Bug fixes
- We've improved the descriptions for
AWS > S3 > Bucket > Public Access Block > SettingsandAWS > S3 > Account > Public Access Block > Settingspolicies to clearly indicate what each policy value means.
5.8.0 (2021-02-18)
What's new?
- We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
- The
AWS > S3 > Bucket > Activecontrol will now check if an inactive bucket is empty before attempting to delete it to avoid errors.
5.7.0 (2021-02-05)
What's new?
In a previous version, we added the
AWS > S3 > Bucket > Policy > Trusted Accesscontrol to help you manage who can access your buckets based on their bucket policies. To further help you secure your buckets, we've added theAWS > S3 > Bucket > ACL > Trusted Accesscontrol, which allows you to configure which AWS accounts and groups can be granted access through the bucket's access control list (ACL).To get started with this new control, please review the
AWS > S3 > Bucket > ACL > Trusted Accesspolicy and its subpolicies.
Control Types
Added
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
Policy Types
Added
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
- AWS > S3 > Bucket > ACL > Trusted Access > Canonical IDs
- AWS > S3 > Bucket > ACL > Trusted Access > Groups
Action Types
Added
- AWS > S3 > Bucket > Set ACL Trusted Access
5.6.6 (2021-01-14)
Bug fixes
- The
AWS > S3 > Bucket > CMDBcontrol will now show a proper error message if we are unable to calls3:HeadBucketdue to aForbiddenerror.
5.6.5 (2021-01-07)
What's new?
- The
AWS > S3 > Bucket > Public Access Blockcontrol will now display the result for each public access block setting in the control data to easily identify if any setting is not set according to theAWS > S3 > Bucket > Public Access Block > Settingspolicy.
5.6.4 (2020-12-28)
Bug fixes
- We've improved the consistency of error notification messages for several bucket controls, like the
AWS > S3 > Bucket > Public Access Blockcontrol.
5.6.3 (2020-12-17)
Bug fixes
- Controls run faster now when in the
tbdandskippedstates thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbdandskipped, resulting in faster and lighter control runs. - The
AWS > S3 > Policy Statements [Deprecated] > Approved [Deprecated]policy description had incorrect references to VPC security groups. This issue has now been fixed.
5.6.2 (2020-12-11)
Bug fixes
- For buckets created via a CloudFormation stack, the
AWS > S3 > Bucket > Encryption at RestandAWS > S3 > Bucket > Encryption in Transitcontrols would sometimes create their bucket policies before the stack finished creating its bucket policies. This would result in the CloudFormation stack rolling back due to a bucket policy conflict. This issue is now fixed and the controls will now wait a few minutes before creating or updating bucket policies on new S3 buckets created through CloudFormation stacks to prevent conflicts.
5.6.1 (2020-12-07)
Bug fixes
- We've optimized the GraphQL queries for various controls when they're in the
tbdandskippedstates. You won't notice any difference but they should run a lot lighter now.
5.6.0 (2020-12-04)
Warning
The
AWS > S3 > Bucket > Policy Statements > Approvedcontrol has been deprecated and replaced by theAWS > S3 > Bucket > Policy > Trusted Accesscontrol. In the next major version (v6.0.0), theAWS > S3 > Bucket > Policy Statements > Approvedcontrol will be removed.Please note that a key difference between these controls is that the new
AWS > S3 > Bucket > Policy > Trusted Accesscontrol will only check bucket policy statements that grant access with"Effect": "Allow", so statements like Turbot's encryption in transit statement that denies any S3 action not usingaws:SecureTransportwill not be checked by this control.We recommend that you migrate any
AWS > S3 > Bucket > Policy Statements > Approvedpolicy settings currently set in your workspace to instead use the newAWS > S3 > Bucket > Policy > Trusted Accesspolicies based on the mappings below:Old Policy New Policy AWS > S3 > Bucket > Policy Statements > Approved AWS > S3 > Bucket > Policy > Trusted Access AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts AWS > S3 > Bucket > Policy > Trusted Access > Accounts AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services AWS > S3 > Bucket > Policy > Trusted Access > Services AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit N/A AWS > S3 > Bucket > Policy Statements > Approved > Rules N/A N/A AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities N/A AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
Bug fixes
- We've updated various resources' Discovery and CMDB controls to ensure array properties are consistently sorted in the CMDB.
Control Types
Added
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
Renamed
- AWS > S3 > Bucket > Policy Statements to AWS > S3 > Bucket > Policy Statements [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated]
Policy Types
Added
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
- AWS > S3 > Bucket > Policy > Trusted Access > Accounts
- AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
- AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
- AWS > S3 > Bucket > Policy > Trusted Access > Services
- AWS > S3 > Trusted Accounts [Default]
- AWS > S3 > Trusted Identity Providers [Default]
- AWS > S3 > Trusted Organizations [Default]
- AWS > S3 > Trusted Services [Default]
Renamed
- AWS > S3 > Bucket > Policy Statements to AWS > S3 > Bucket > Policy Statements [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption at Rest [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption in Transit [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Rules to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] > Compiled Rules [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated]
Action Types
Added
- AWS > S3 > Bucket > Set Policy Trusted Access
5.5.5 (2020-11-02)
Bug fixes
- The
AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accountspolicy now acceptscloudfrontas a valid value for easier matching of CloudFront origin access identity (OAI) ARNs.
5.5.4 (2020-10-30)
Bug fixes
- We've updated the
AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accountspolicy to only accept valid values in the form of AWS account IDs as strings or integers.
5.5.3 (2020-10-28)
Bug fixes
- We've fixed an issue that caused the
AWS > S3 > Bucket > Policy Statements > Approvedcontrol to incorrectly parse any bucket policy statements that contained a principal with a CloudFront Origin Access Identity user ARN, e.g.,arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH1HDMB1FH2TC. - In several recent versions, we had released changes that we thought had fixed an error upserting a large amount of buckets in the
AWS > S3 > Bucket > Discoverycontrol. Turns out we were wrong and the issue still persists. Now we've included another fix that really should resolve the error and get the control running smoothly again.
5.5.2 (2020-10-27)
Bug fixes
- We have made further improvements to
AWS > S3 > Bucket > Discoverycontrols to ensure that they can handle large upserts into our CMDB more reliably without running into errors.
5.5.1 (2020-10-21)
Bug fixes
AWS > S3 > Bucket > Discoverycontrols would sometimes go into anerrorstate when we tried to upsert a large number of buckets into our CMDB. This issue has now been fixed.
5.5.0 (2020-10-15)
What's new?
- The title of
AWS > S3 > Bucket > Policy Statements > Approvedcontrol has been renamed to be consistent with other policy types & control types.
Control Types
Renamed
- AWS > S3 > Bucket > Policy to AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy > Approved to AWS > S3 > Bucket > Policy Statements > Approved
5.4.4 (2020-10-14)
Bug fixes
- The CMDB data for buckets now always includes the
Versioning.MFADeleteproperty, which is set toDisabledby default (in the case that MFA delete has never been enabled before for the bucket).
5.4.3 (2020-09-22)
Bug fixes
- We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.
5.4.2 (2020-09-15)
Bug fixes
- The descriptions of controls and policies of
AWS > S3 > Bucket > Encryption at RestandAWS > S3 > Bucket > Encryption in Transithave been improved to provide more details about their usage.
5.4.1 (2020-09-08)
Bug fixes
- After creating an S3 bucket with the same properties as an existing one, AWS will send a successful CloudTrail event instead of returning an error that the bucket already exists. When we received such events, the real-time event handler for buckets did not handle it properly, resulting in the metadata create timestamp getting updated incorrectly for the bucket and its policy. We now handle these events better and will not update metadata create timestamps for existing buckets and their policies.
5.4.0 (2020-09-03)
What's new?
- We've renamed the service's default regions policy from
Regions [Default]toRegionsto be consistent with our other regions policies.
5.3.11 (2020-08-14)
Bug fixes
- The
Policyfield for bucket resources is now properly and consistently sorted.
5.3.10 (2020-08-11)
Bug fixes
- Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.
5.3.9 (2020-08-11)
Bug fixes
- In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
5.3.8 (2020-07-29)
Bug fixes
AWS > S3 > Bucket > Access Loggingcontrol will now remain in skipped state for Turbot managed logging buckets.
5.3.7 (2020-07-13)
Bug fixes
- Updated various resource configurations to provide better compatibility with AWS China regions.
5.3.6 (2020-07-11)
Bug fixes
- In AWS China, the
GetBucketAccelerateConfigurationAPI is not supported and throws an error if invoked. TheAWS > S3 > Bucket > CMDBcontrol was not handling this error correctly, which caused the control to move toerror. We've fixed this issue and the control is running smoothly again.
5.3.5 (2020-07-09)
Bug fixes
- When listing buckets through the AWS S3 API, the S3 service returns different results for the
CreationDatebased on the endpoint queried. Only queries to the endpoints in the S3 master regions (us-east-1,us-gov-west-1,cn-north-1) actually return theCreationDate, other endpoints incorrectly return the last modified timestamp. OurAWS > S3 > Bucket > Discoverycontrol made this API call without using the S3 master region endpoint, so theCreationDateproperty may have been incorrectly set to the (always later) last modified date. This has been fixed and now all buckets will first try to use the S3 master region and fall back to the specific region the control is running in when listing buckets. TheCreationDateproperty will now have the correct timestamp, unless access to the S3 master region is blocked in that account.
5.3.4 (2020-07-02)
Bug fixes
- While attempting to remove unapproved bucket policy statements in the
AWS > S3 > Bucket > Policy > Approvedcontrol, sometimes we would fail to remove statements that containedPrincipal: "*". This issue has been fixed.
5.3.3 (2020-06-29)
Bug fixes
- A duplicate permission in S3 was causing the
AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3policy to fail compilation. This duplicate permission has been removed and the policy can compile again.
5.3.2 (2020-06-26)
Bug fixes
- Sometimes when updating CMDB for resources with tags that have empty string values, e.g.,
[{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.
5.3.1 (2020-06-26)
Bug fixes
- Several real-time events for buckets were not being handled properly, which sometimes resulted in outdated CMDB entries. These events included updates to CORS configurations, lifecycle rules, replication rules, and bucket public access block configurations. This issue has been fixed and all of these events now trigger CMDB updates properly.
- Several bucket CMDB properties were not being updated properly if they were enabled and then disabled in the AWS console. For instance, if default encryption was set to
AES-256and then set toNone, the bucket's CMDB entry would still have data indicating default encryption wasAES-256. This issue has been fixed and all properties should reflect the resource's current state. - The
AWS > S3 > Bucket > Encryption at Restcontrol would sometimes go into error state when a bucket was first created, even if theAWS > S3 > Bucket > Encryption at Restpolicy was set toSkip. This has been fixed.
Policy Types
Renamed
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > S3 to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3
5.3.0 (2020-06-18)
Control Types
Added
- AWS > S3 > Bucket > Access Logging
Policy Types
Added
- AWS > S3 > Bucket > Access Logging
- AWS > S3 > Bucket > Access Logging > Bucket
- AWS > S3 > Bucket > Access Logging > Key Prefix
Action Types
Added
- AWS > S3 > Bucket > Update Access Logging
5.2.0 (2020-06-15)
Policy Types
Added
- AWS > S3 > Bucket > Active > Budget
- AWS > S3 > Bucket > Approved > Budget
Action Types
Added
- AWS > S3 > Bucket > Set Encryption in Transit
Removed
- AWS > S3 > Bucket > Set Encryption At Transit
5.1.7 (2020-05-07)
Bug fixes
- The
AWS > S3 > Bucket > Encryption at Restcontrol would not update the bucket policy with the intended encryption at rest settings if the bucket did not have an existing bucket policy. This has been fixed. - When the
AWS > S3 > Bucket > Encryption at Restpolicy was set toEnforce: AWS managed key, the control was incorrectly adding a bucket policy statement that would only allow the KMS key in theAWS > S3 > Bucket > Encryption at Rest > Customer Managed Keypolicy, instead of only allowing the AWS KMS key. This statement has been fixed and is now enforcing the correct encryption at rest setting. - When the
AWS > S3 > Bucket > Encryption at Restpolicy was set toEnforce: Customer managed key, the control was incorrectly adding a bucket policy statement that would deny the KMS key in theAWS > S3 > Bucket > Encryption at Rest > Customer Managed Keypolicy, instead of denying the AWS KMS key. This statement has been fixed and is now enforcing the correct encryption at rest setting.
Policy Types
Renamed
- AWS > S3 > Bucket > Configured > Precedence to AWS > S3 > Bucket > Configured > Claim Precedence