@turbot/aws-s3

The aws-s3 mod contains resource, control and policy definitions for AWS S3 service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for S3:

PermissionGrant LevelHelp
s3:AbortMultipartUploadOperator
s3:BypassGovernanceRetentionAdmin
s3:CreateAccessPointAdmin
s3:CreateAccessPointForObjectLambdaAdmin
s3:CreateBucketOperator
s3:CreateJobOperator
s3:CreateMultiRegionAccessPointAdmin
s3:DeleteAccessPointAdmin
s3:DeleteAccessPointForObjectLambdaAdmin
s3:DeleteAccessPointPolicyAdmin
s3:DeleteAccessPointPolicyForObjectLambdaAdmin
s3:DeleteAccountPublicAccessBlockAdmin
s3:DeleteBucketOperator
s3:DeleteBucketCorsAdminTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketEncryptionAdminTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketLifecycleAdminTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketLifecycleConfigurationAdmin
s3:DeleteBucketOwnershipControlsAdmin
s3:DeleteBucketPolicyAdmin
s3:DeleteBucketReplicationAdminTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketTaggingOperatorTEMPORARY permission since CloudTrail events are different
s3:DeleteBucketWebsiteAdminWebsite management is safe but requires anonymous access to be granted to the bucket for it to work.
s3:DeleteJobTaggingAdmin
s3:DeleteMultiRegionAccessPointAdmin
s3:DeleteObjectOperator
s3:DeleteObjectVersionOperator
s3:DeleteObjectVersionTaggingOperator
s3:DeletePublicAccessBlockAdmin
s3:DeleteReplicationConfigurationWhitelistAdmins can delete the replication configuration set for the bucket.
s3:DeleteStorageLensConfigurationAdmin
s3:DeleteStorageLensConfigurationTaggingAdmin
s3:DescribeJobMetadata
s3:DescribeMultiRegionAccessPointOperationMetadata
s3:GetAccelerateConfigurationMetadata
s3:GetAccessPointMetadata
s3:GetAccessPointConfigurationForObjectLambdaMetadata
s3:GetAccessPointForObjectLambdaMetadata
s3:GetAccessPointPolicyMetadata
s3:GetAccessPointPolicyForObjectLambdaMetadata
s3:GetAccessPointPolicyStatusMetadata
s3:GetAccessPointPolicyStatusForObjectLambdaMetadata
s3:GetAccountPublicAccessBlockMetadata
s3:GetAnalyticsConfigurationMetadataCovers ListAnalyticsConfigurations.
s3:GetBucketMetadata
s3:GetBucketAclMetadata
s3:GetBucketCORSMetadata
s3:GetBucketIntelligentTieringConfigurationMetadata
s3:GetBucketLocationMetadata
s3:GetBucketLoggingMetadata
s3:GetBucketNotificationMetadata
s3:GetBucketObjectLockConfigurationMetadata
s3:GetBucketOwnershipControlsMetadata
s3:GetBucketPolicyMetadata
s3:GetBucketPolicyStatusMetadata
s3:GetBucketPublicAccessBlockMetadata
s3:GetBucketReplicationMetadata
s3:GetBucketRequestPaymentMetadata
s3:GetBucketTaggingMetadata
s3:GetBucketVersioningMetadata
s3:GetBucketWebsiteMetadata
s3:GetEncryptionConfigurationMetadata
s3:GetIntelligentTieringConfigurationMetadata
s3:GetInventoryConfigurationMetadataCovers ListInventoryConfigurations.
s3:GetJobTaggingMetadata
s3:GetLifecycleConfigurationMetadata
s3:GetMetricsConfigurationMetadataCovers ListMetricsConfigurations.
s3:GetMultiRegionAccessPointMetadata
s3:GetMultiRegionAccessPointPolicyMetadata
s3:GetMultiRegionAccessPointPolicyStatusMetadata
s3:GetMultiRegionAccessPointRoutesMetadata
s3:GetObjectReadOnly
s3:GetObjectAclMetadata
s3:GetObjectLegalHoldMetadata
s3:GetObjectLockConfigurationMetadata
s3:GetObjectRetentionMetadata
s3:GetObjectTaggingMetadata
s3:GetObjectTorrentReadOnly
s3:GetObjectVersionReadOnly
s3:GetObjectVersionAclMetadata
s3:GetObjectVersionForReplicationReadOnly
s3:GetObjectVersionTaggingMetadataRetrieves tags of earlier object version. - http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGETtagging.html.
s3:GetObjectVersionTorrentReadOnly
s3:GetPublicAccessBlockMetadata
s3:GetReplicationConfigurationMetadata
s3:GetStorageLensConfigurationMetadata
s3:GetStorageLensConfigurationTaggingMetadata
s3:GetStorageLensDashboardMetadata
s3:HeadBucketMetadataHelps to determine if a bucket exists and you have permission to access it.
s3:HeadObjectReadOnlyThe HEAD operation retrieves metadata from an object without returning the object itself. This depends in s3:GetObject permission. This operation is useful if you're only interested in an object's metadata.
s3:ListAccessPointsMetadata
s3:ListAccessPointsForObjectLambdaMetadata
s3:ListAllMyBucketsMetadata
s3:ListBucketMetadata
s3:ListBucketByTagsMetadata
s3:ListBucketIntelligentTieringConfigurationsMetadata
s3:ListBucketMultipartUploadsMetadata
s3:ListBucketVersionsMetadata
s3:ListJobsMetadata
s3:ListMultipartUploadPartsMetadata
s3:ListMultiRegionAccessPointsMetadata
s3:ListRegionalBucketsMetadata
s3:ListStorageLensConfigurationsMetadata
s3:ObjectOwnerOverrideToBucketOwnerAdmin
s3:PutAccelerateConfigurationAdminAdmins can manage transfer acceleration for buckets.
s3:PutAccessPointConfigurationForObjectLambdaAdmin
s3:PutAccessPointPolicyAdmin
s3:PutAccessPointPolicyForObjectLambdaAdmin
s3:PutAccessPointPublicAccessBlockAdmin
s3:PutAccountPublicAccessBlockAdmin
s3:PutAnalyticsConfigurationAdminCovers DeleteAnalyticsConfiguration.
s3:PutBucketAclWhitelistPer AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
s3:PutBucketCORSWhitelistCan be used for cross-account access.
s3:PutBucketIntelligentTieringConfigurationAdmin
s3:PutBucketLoggingWhitelistTurbot automates logging settings.
s3:PutBucketNotificationOperator
s3:PutBucketObjectLockConfigurationAdmin
s3:PutBucketOwnershipControlsAdmin
s3:PutBucketPolicyAdmin
s3:PutBucketPublicAccessBlockAdmin
s3:PutBucketReplicationWhitelist
s3:PutBucketRequestPaymentNoneCan be used for cross-account access.
s3:PutBucketTaggingOperatorCovers DeleteBucketTagging.
s3:PutBucketVersioningOperator
s3:PutBucketWebsiteAdminWebsite management is safe but requires anonymous access to be granted to the bucket for it to work.
s3:PutEncryptionConfigurationAdmin
s3:PutIntelligentTieringConfigurationAdmin
s3:PutInventoryConfigurationAdminCovers DeleteInventoryConfiguration.
s3:PutJobTaggingAdmin
s3:PutLifecycleConfigurationAdminBucket management is restricted to Admins. Covers PutBucketLifecycle; PutBucketLifecycleConfiguration; DeleteBucketLifecycle.
s3:PutMetricsConfigurationAdminCovers DeleteMetricsConfiguration.
s3:PutMultiRegionAccessPointPolicyAdmin
s3:PutObjectOperatorCovers CompleteMultipartUpload; CreateMultipartUpload; UploadPart; UploadPartCopy.
s3:PutObjectAclWhitelistPer AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
s3:PutObjectLegalHoldAdmin
s3:PutObjectLockConfigurationAdmin
s3:PutObjectRetentionOperator
s3:PutObjectTaggingOperatorCovers DeleteObjectTagging.
s3:PutObjectVersionAclWhitelistPer AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
s3:PutObjectVersionTaggingOperatorEnables to associate tag to object based on versionId. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTtagging.html.
s3:PutPublicAccessBlockAdmin
s3:PutReplicationConfigurationWhitelistIn a versioning-enabled bucket Admins can create a replication configuration (or replace an existing one if present) and can also be used for cross-account access.
s3:PutStorageLensConfigurationAdmin
s3:PutStorageLensConfigurationTaggingAdmin
s3:ReplicateDeleteWhitelist
s3:ReplicateObjectWhitelist
s3:ReplicateTagsWhitelist
s3:RestoreObjectOperator
s3:SelectObjectContentReadOnly
s3:SubmitMultiRegionAccessPointRoutesAdmin
s3:UpdateJobPriorityOperator
s3:UpdateJobStatusOperator
s3:WriteGetObjectResponseAdmin

Learn More About Guardrails

Version
5.22.0
Released On
Sep 06, 2023

Resource Types

Control Types

Policy Types

Release Notes

5.22.0 (2023-09-06)

What's new?

  • AWS/S3/Admin and AWS/S3/Metadata now include permissions for Multi-Region Access Point Routes.

5.21.0 (2023-05-29)

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

5.20.0 (2023-04-06)

What's new?

  • Added support for aws_s3_bucket_policy Terraform resource for AWS > S3 > Bucket.

Bug fixes

  • We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.19.0 (2023-03-15)

What's new?

  • Added support for aws_s3_bucket_lifecycle_configuration and aws_s3_bucket_acl Terraform resources for AWS > S3 > Bucket.

5.18.0 (2022-12-08)

What's new?

  • Users can now validate Principal Organization Paths (aws:PrincipalOrgPaths) in bucket policy conditions. To get started, set the AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions policy.

Policy Types

Added

  • AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions

5.17.3 (2022-11-01)

Bug fixes

  • The AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions policy now also supports ForAnyValue:StringLike operator for the aws:PrincipalOrgPaths condition.

5.17.2 (2022-08-23)

Action Types

Removed

  • AWS > S3 > Bucket > Disable Encryption in Transit

5.17.1 (2022-08-18)

Bug fixes

  • The AWS > S3 > Bucket > Disable all Block Public Access settings and AWS > S3 > Bucket > Enable all Block Public Access settings quick actions would not show up on the Turbot console due to incorrect internal references. This is fixed and you will now be able to Enable/Disable Block Public Access settings on S3 Buckets with a click of a button.

5.17.0 (2022-07-25)

What's new?

  • In v5.6.0, we deprecated the AWS > S3 > Bucket > Policy Statements > Approved control and its policies in favour of the new AWS > S3 > Bucket > Policy > Trusted Access control; however, because the AWS > S3 > Bucket > Policy Statements > Approved > Rules policy adds Object Control List (OCL) functionality which is not available in AWS > S3 > Bucket > Policy > Trusted Access > Approved control, this policy is still useful.

    The AWS > S3 > Bucket > Policy Statements > Approved control, and the AWS > S3 > Bucket > Policy Statements > Approved > Rules, AWS > S3 > Bucket > Policy Statements > Approved > Encryption In Transit, AWS > S3 > Bucket > Policy Statements > Approved > Encryption At Rest and AWS > S3 > Bucket > Policy Statements > Approved > Compiled Rules policies are no longer considered deprecated and are available for use again.

Control Types

Renamed

  • AWS > S3 > Bucket > Policy Statements [Deprecated] to AWS > S3 > Bucket > Policy Statements
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved

Policy Types

Renamed

  • AWS > S3 > Bucket > Policy Statements [Deprecated] to AWS > S3 > Bucket > Policy Statements
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption at Rest [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption in Transit [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Rules
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] > Compiled Rules [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts [Deprecated]
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers [Deprecated]
  • AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services [Deprecated]

5.16.0 (2022-07-19)

Action Types

Added

  • AWS > S3 > Bucket > Disable Encryption in Transit
  • AWS > S3 > Bucket > Disable all Block Public Access settings
  • AWS > S3 > Bucket > Enable Encryption in Transit
  • AWS > S3 > Bucket > Enable all Block Public Access settings
  • AWS > S3 > Bucket > Set Encryption at Rest to AWS Managed Key
  • AWS > S3 > Bucket > Set Encryption at Rest to AWS SSE
  • AWS > S3 > Bucket > Set Encryption at Rest to Customer Managed Key
  • AWS > S3 > Bucket > Set Encryption at Rest to None

5.15.1 (2022-07-13)

Bug fixes

  • The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.

5.15.0 (2022-07-12)

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Action Types

Added

  • AWS > S3 > Bucket > Disable Versioning
  • AWS > S3 > Bucket > Enable Versioning
  • AWS > S3 > Bucket > Set Tags
  • AWS > S3 > Bucket > Skip alarm for Active control
  • AWS > S3 > Bucket > Skip alarm for Active control [90 days]
  • AWS > S3 > Bucket > Skip alarm for Approved control
  • AWS > S3 > Bucket > Skip alarm for Approved control [90 days]
  • AWS > S3 > Bucket > Skip alarm for Encryption at Rest control
  • AWS > S3 > Bucket > Skip alarm for Encryption at Rest control [90 days]
  • AWS > S3 > Bucket > Skip alarm for Tags control
  • AWS > S3 > Bucket > Skip alarm for Tags control [90 days]

5.14.0 (2022-06-01)

What's new?

  • The AWS > S3 > Bucket CMDB will now also include information about Object Lock Configuration on the bucket.

5.13.0 (2022-02-14)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

  • We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

Policy Types

Added

  • AWS > S3 > Bucket > Approved > Custom

5.12.0 (2022-01-04)

What's new?

  • AWS/S3/Admin and AWS/S3/Metadata now include permissions for Access Point, Bucket Intelligent Tiering Configuration and Bucket Ownership Controls.

5.11.0 (2021-07-20)

What's new?

  • AWS/S3 permission levels now include Job, Object Lock Config, Public Access Block and Replicate related permissions.

5.10.0 (2021-07-09)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.9.0 (2021-06-24)

What's new?

  • AWS/S3/Admin now includes storage lens management permissions.

5.8.1 (2021-04-27)

Bug fixes

  • We've improved the descriptions for AWS > S3 > Bucket > Public Access Block > Settings and AWS > S3 > Account > Public Access Block > Settings policies to clearly indicate what each policy value means.

5.8.0 (2021-02-18)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

  • The AWS > S3 > Bucket > Active control will now check if an inactive bucket is empty before attempting to delete it to avoid errors.

5.7.0 (2021-02-05)

What's new?

  • In a previous version, we added the AWS > S3 > Bucket > Policy > Trusted Access control to help you manage who can access your buckets based on their bucket policies. To further help you secure your buckets, we've added the AWS > S3 > Bucket > ACL > Trusted Access control, which allows you to configure which AWS accounts and groups can be granted access through the bucket's access control list (ACL).

    To get started with this new control, please review the AWS > S3 > Bucket > ACL > Trusted Access policy and its subpolicies.

Control Types

Added

  • AWS > S3 > Bucket > ACL
  • AWS > S3 > Bucket > ACL > Trusted Access

Policy Types

Added

  • AWS > S3 > Bucket > ACL
  • AWS > S3 > Bucket > ACL > Trusted Access
  • AWS > S3 > Bucket > ACL > Trusted Access > Canonical IDs
  • AWS > S3 > Bucket > ACL > Trusted Access > Groups

Action Types

Added

  • AWS > S3 > Bucket > Set ACL Trusted Access

5.6.6 (2021-01-14)

Bug fixes

  • The AWS > S3 > Bucket > CMDB control will now show a proper error message if we are unable to call s3:HeadBucket due to a Forbidden error.

5.6.5 (2021-01-07)

What's new?

  • The AWS > S3 > Bucket > Public Access Block control will now display the result for each public access block setting in the control data to easily identify if any setting is not set according to the AWS > S3 > Bucket > Public Access Block > Settings policy.

5.6.4 (2020-12-28)

Bug fixes

  • We've improved the consistency of error notification messages for several bucket controls, like the AWS > S3 > Bucket > Public Access Block control.

5.6.3 (2020-12-17)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.
  • The AWS > S3 > Policy Statements [Deprecated] > Approved [Deprecated] policy description had incorrect references to VPC security groups. This issue has now been fixed.

5.6.2 (2020-12-11)

Bug fixes

  • For buckets created via a CloudFormation stack, the AWS > S3 > Bucket > Encryption at Rest and AWS > S3 > Bucket > Encryption in Transit controls would sometimes create their bucket policies before the stack finished creating its bucket policies. This would result in the CloudFormation stack rolling back due to a bucket policy conflict. This issue is now fixed and the controls will now wait a few minutes before creating or updating bucket policies on new S3 buckets created through CloudFormation stacks to prevent conflicts.

5.6.1 (2020-12-07)

Bug fixes

  • We've optimized the GraphQL queries for various controls when they're in the tbd and skipped states. You won't notice any difference but they should run a lot lighter now.

5.6.0 (2020-12-04)

Warning

  • The AWS > S3 > Bucket > Policy Statements > Approved control has been deprecated and replaced by the AWS > S3 > Bucket > Policy > Trusted Access control. In the next major version (v6.0.0), the AWS > S3 > Bucket > Policy Statements > Approved control will be removed.

    Please note that a key difference between these controls is that the new AWS > S3 > Bucket > Policy > Trusted Access control will only check bucket policy statements that grant access with "Effect": "Allow", so statements like Turbot's encryption in transit statement that denies any S3 action not using aws:SecureTransport will not be checked by this control.

    We recommend that you migrate any AWS > S3 > Bucket > Policy Statements > Approved policy settings currently set in your workspace to instead use the new AWS > S3 > Bucket > Policy > Trusted Access policies based on the mappings below:

    Old PolicyNew Policy
    AWS > S3 > Bucket > Policy Statements > ApprovedAWS > S3 > Bucket > Policy > Trusted Access
    AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity ProvidersAWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
    AWS > S3 > Bucket > Policy Statements > Approved > Trusted AccountsAWS > S3 > Bucket > Policy > Trusted Access > Accounts
    AWS > S3 > Bucket > Policy Statements > Approved > Trusted ServicesAWS > S3 > Bucket > Policy > Trusted Access > Services
    AWS > S3 > Bucket > Policy Statements > Approved > Encryption at RestAWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
    AWS > S3 > Bucket > Policy Statements > Approved > Encryption in TransitN/A
    AWS > S3 > Bucket > Policy Statements > Approved > RulesN/A
    N/AAWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
    N/AAWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions

Bug fixes

  • We've updated various resources' Discovery and CMDB controls to ensure array properties are consistently sorted in the CMDB.

Control Types

Added

  • AWS > S3 > Bucket > Policy
  • AWS > S3 > Bucket > Policy > Trusted Access

Renamed

  • AWS > S3 > Bucket > Policy Statements to AWS > S3 > Bucket > Policy Statements [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated]

Policy Types

Added

  • AWS > S3 > Bucket > Policy
  • AWS > S3 > Bucket > Policy > Trusted Access
  • AWS > S3 > Bucket > Policy > Trusted Access > Accounts
  • AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
  • AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
  • AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
  • AWS > S3 > Bucket > Policy > Trusted Access > Services
  • AWS > S3 > Trusted Accounts [Default]
  • AWS > S3 > Trusted Identity Providers [Default]
  • AWS > S3 > Trusted Organizations [Default]
  • AWS > S3 > Trusted Services [Default]

Renamed

  • AWS > S3 > Bucket > Policy Statements to AWS > S3 > Bucket > Policy Statements [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption at Rest [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption in Transit [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Rules to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] > Compiled Rules [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated]
  • AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated]

Action Types

Added

  • AWS > S3 > Bucket > Set Policy Trusted Access

5.5.5 (2020-11-02)

Bug fixes

5.5.4 (2020-10-30)

Bug fixes

  • We've updated the AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts policy to only accept valid values in the form of AWS account IDs as strings or integers.

5.5.3 (2020-10-28)

Bug fixes

  • We've fixed an issue that caused the AWS > S3 > Bucket > Policy Statements > Approved control to incorrectly parse any bucket policy statements that contained a principal with a CloudFront Origin Access Identity user ARN, e.g., arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH1HDMB1FH2TC.
  • In several recent versions, we had released changes that we thought had fixed an error upserting a large amount of buckets in the AWS > S3 > Bucket > Discovery control. Turns out we were wrong and the issue still persists. Now we've included another fix that really should resolve the error and get the control running smoothly again.

5.5.2 (2020-10-27)

Bug fixes

  • We have made further improvements to AWS > S3 > Bucket > Discovery controls to ensure that they can handle large upserts into our CMDB more reliably without running into errors.

5.5.1 (2020-10-21)

Bug fixes

  • AWS > S3 > Bucket > Discovery controls would sometimes go into an error state when we tried to upsert a large number of buckets into our CMDB. This issue has now been fixed.

5.5.0 (2020-10-15)

What's new?

  • The title of AWS > S3 > Bucket > Policy Statements > Approvedcontrol has been renamed to be consistent with other policy types & control types.

Control Types

Renamed

  • AWS > S3 > Bucket > Policy to AWS > S3 > Bucket > Policy Statements
  • AWS > S3 > Bucket > Policy > Approved to AWS > S3 > Bucket > Policy Statements > Approved

5.4.4 (2020-10-14)

Bug fixes

  • The CMDB data for buckets now always includes the Versioning.MFADelete property, which is set to Disabled by default (in the case that MFA delete has never been enabled before for the bucket).

5.4.3 (2020-09-22)

Bug fixes

  • We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.4.2 (2020-09-15)

Bug fixes

  • The descriptions of controls and policies of AWS > S3 > Bucket > Encryption at Rest and AWS > S3 > Bucket > Encryption in Transit have been improved to provide more details about their usage.

5.4.1 (2020-09-08)

Bug fixes

  • After creating an S3 bucket with the same properties as an existing one, AWS will send a successful CloudTrail event instead of returning an error that the bucket already exists. When we received such events, the real-time event handler for buckets did not handle it properly, resulting in the metadata create timestamp getting updated incorrectly for the bucket and its policy. We now handle these events better and will not update metadata create timestamps for existing buckets and their policies.

5.4.0 (2020-09-03)

What's new?

  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

5.3.11 (2020-08-14)

Bug fixes

  • The Policy field for bucket resources is now properly and consistently sorted.

5.3.10 (2020-08-11)

Bug fixes

  • Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.

5.3.9 (2020-08-11)

Bug fixes

  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

5.3.8 (2020-07-29)

Bug fixes

  • AWS > S3 > Bucket > Access Logging control will now remain in skipped state for Turbot managed logging buckets.

5.3.7 (2020-07-13)

Bug fixes

  • Updated various resource configurations to provide better compatibility with AWS China regions.

5.3.6 (2020-07-11)

Bug fixes

  • In AWS China, the GetBucketAccelerateConfiguration API is not supported and throws an error if invoked. The AWS > S3 > Bucket > CMDB control was not handling this error correctly, which caused the control to move to error. We've fixed this issue and the control is running smoothly again.

5.3.5 (2020-07-09)

Bug fixes

  • When listing buckets through the AWS S3 API, the S3 service returns different results for the CreationDate based on the endpoint queried. Only queries to the endpoints in the S3 master regions (us-east-1, us-gov-west-1, cn-north-1) actually return the CreationDate, other endpoints incorrectly return the last modified timestamp. Our AWS > S3 > Bucket > Discovery control made this API call without using the S3 master region endpoint, so the CreationDate property may have been incorrectly set to the (always later) last modified date. This has been fixed and now all buckets will first try to use the S3 master region and fall back to the specific region the control is running in when listing buckets. The CreationDate property will now have the correct timestamp, unless access to the S3 master region is blocked in that account.

5.3.4 (2020-07-02)

Bug fixes

  • While attempting to remove unapproved bucket policy statements in the AWS > S3 > Bucket > Policy > Approved control, sometimes we would fail to remove statements that contained Principal: "*". This issue has been fixed.

5.3.3 (2020-06-29)

Bug fixes

  • A duplicate permission in S3 was causing the AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3 policy to fail compilation. This duplicate permission has been removed and the policy can compile again.

5.3.2 (2020-06-26)

Bug fixes

  • Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.3.1 (2020-06-26)

Bug fixes

  • Several real-time events for buckets were not being handled properly, which sometimes resulted in outdated CMDB entries. These events included updates to CORS configurations, lifecycle rules, replication rules, and bucket public access block configurations. This issue has been fixed and all of these events now trigger CMDB updates properly.
  • Several bucket CMDB properties were not being updated properly if they were enabled and then disabled in the AWS console. For instance, if default encryption was set to AES-256 and then set to None, the bucket's CMDB entry would still have data indicating default encryption was AES-256. This issue has been fixed and all properties should reflect the resource's current state.
  • The AWS > S3 > Bucket > Encryption at Rest control would sometimes go into error state when a bucket was first created, even if the AWS > S3 > Bucket > Encryption at Rest policy was set to Skip. This has been fixed.

Policy Types

Renamed

  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > S3 to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3

5.3.0 (2020-06-18)

Control Types

Added

  • AWS > S3 > Bucket > Access Logging

Policy Types

Added

  • AWS > S3 > Bucket > Access Logging
  • AWS > S3 > Bucket > Access Logging > Bucket
  • AWS > S3 > Bucket > Access Logging > Key Prefix

Action Types

Added

  • AWS > S3 > Bucket > Update Access Logging

5.2.0 (2020-06-15)

Policy Types

Added

  • AWS > S3 > Bucket > Active > Budget
  • AWS > S3 > Bucket > Approved > Budget

Action Types

Added

  • AWS > S3 > Bucket > Set Encryption in Transit

Removed

  • AWS > S3 > Bucket > Set Encryption At Transit

5.1.7 (2020-05-07)

Bug fixes

  • The AWS > S3 > Bucket > Encryption at Rest control would not update the bucket policy with the intended encryption at rest settings if the bucket did not have an existing bucket policy. This has been fixed.
  • When the AWS > S3 > Bucket > Encryption at Rest policy was set to Enforce: AWS managed key, the control was incorrectly adding a bucket policy statement that would only allow the KMS key in the AWS > S3 > Bucket > Encryption at Rest > Customer Managed Key policy, instead of only allowing the AWS KMS key. This statement has been fixed and is now enforcing the correct encryption at rest setting.
  • When the AWS > S3 > Bucket > Encryption at Rest policy was set to Enforce: Customer managed key, the control was incorrectly adding a bucket policy statement that would deny the KMS key in the AWS > S3 > Bucket > Encryption at Rest > Customer Managed Key policy, instead of denying the AWS KMS key. This statement has been fixed and is now enforcing the correct encryption at rest setting.

Policy Types

Renamed

  • AWS > S3 > Bucket > Configured > Precedence to AWS > S3 > Bucket > Configured > Claim Precedence