@turbot/aws-s3
The aws-s3 mod contains resource, control and policy definitions for AWS S3 service.
Resource Types
Resource types covered by this mod:
Permissions
Taking a look at permissions and associated grant levels for each permission for S3:
Permission | Grant Level | Help |
---|---|---|
s3:AbortMultipartUpload | Operator | |
s3:BypassGovernanceRetention | Admin | |
s3:CreateAccessPoint | Admin | |
s3:CreateAccessPointForObjectLambda | Admin | |
s3:CreateBucket | Operator | |
s3:CreateJob | Operator | |
s3:CreateMultiRegionAccessPoint | Admin | |
s3:DeleteAccessPoint | Admin | |
s3:DeleteAccessPointForObjectLambda | Admin | |
s3:DeleteAccessPointPolicy | Admin | |
s3:DeleteAccessPointPolicyForObjectLambda | Admin | |
s3:DeleteAccountPublicAccessBlock | Admin | |
s3:DeleteBucket | Operator | |
s3:DeleteBucketCors | Admin | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketEncryption | Admin | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketLifecycle | Admin | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketLifecycleConfiguration | Admin | |
s3:DeleteBucketOwnershipControls | Admin | |
s3:DeleteBucketPolicy | Admin | |
s3:DeleteBucketReplication | Admin | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketTagging | Operator | TEMPORARY permission since CloudTrail events are different |
s3:DeleteBucketWebsite | Admin | Website management is safe but requires anonymous access to be granted to the bucket for it to work. |
s3:DeleteJobTagging | Admin | |
s3:DeleteMultiRegionAccessPoint | Admin | |
s3:DeleteObject | Operator | |
s3:DeleteObjectVersion | Operator | |
s3:DeleteObjectVersionTagging | Operator | |
s3:DeletePublicAccessBlock | Admin | |
s3:DeleteReplicationConfiguration | Whitelist | Admins can delete the replication configuration set for the bucket. |
s3:DeleteStorageLensConfiguration | Admin | |
s3:DeleteStorageLensConfigurationTagging | Admin | |
s3:DescribeJob | Metadata | |
s3:DescribeMultiRegionAccessPointOperation | Metadata | |
s3:GetAccelerateConfiguration | Metadata | |
s3:GetAccessPoint | Metadata | |
s3:GetAccessPointConfigurationForObjectLambda | Metadata | |
s3:GetAccessPointForObjectLambda | Metadata | |
s3:GetAccessPointPolicy | Metadata | |
s3:GetAccessPointPolicyForObjectLambda | Metadata | |
s3:GetAccessPointPolicyStatus | Metadata | |
s3:GetAccessPointPolicyStatusForObjectLambda | Metadata | |
s3:GetAccountPublicAccessBlock | Metadata | |
s3:GetAnalyticsConfiguration | Metadata | Covers ListAnalyticsConfigurations. |
s3:GetBucket | Metadata | |
s3:GetBucketAcl | Metadata | |
s3:GetBucketCORS | Metadata | |
s3:GetBucketIntelligentTieringConfiguration | Metadata | |
s3:GetBucketLocation | Metadata | |
s3:GetBucketLogging | Metadata | |
s3:GetBucketNotification | Metadata | |
s3:GetBucketObjectLockConfiguration | Metadata | |
s3:GetBucketOwnershipControls | Metadata | |
s3:GetBucketPolicy | Metadata | |
s3:GetBucketPolicyStatus | Metadata | |
s3:GetBucketPublicAccessBlock | Metadata | |
s3:GetBucketReplication | Metadata | |
s3:GetBucketRequestPayment | Metadata | |
s3:GetBucketTagging | Metadata | |
s3:GetBucketVersioning | Metadata | |
s3:GetBucketWebsite | Metadata | |
s3:GetEncryptionConfiguration | Metadata | |
s3:GetIntelligentTieringConfiguration | Metadata | |
s3:GetInventoryConfiguration | Metadata | Covers ListInventoryConfigurations. |
s3:GetJobTagging | Metadata | |
s3:GetLifecycleConfiguration | Metadata | |
s3:GetMetricsConfiguration | Metadata | Covers ListMetricsConfigurations. |
s3:GetMultiRegionAccessPoint | Metadata | |
s3:GetMultiRegionAccessPointPolicy | Metadata | |
s3:GetMultiRegionAccessPointPolicyStatus | Metadata | |
s3:GetMultiRegionAccessPointRoutes | Metadata | |
s3:GetObject | ReadOnly | |
s3:GetObjectAcl | Metadata | |
s3:GetObjectLegalHold | Metadata | |
s3:GetObjectLockConfiguration | Metadata | |
s3:GetObjectRetention | Metadata | |
s3:GetObjectTagging | Metadata | |
s3:GetObjectTorrent | ReadOnly | |
s3:GetObjectVersion | ReadOnly | |
s3:GetObjectVersionAcl | Metadata | |
s3:GetObjectVersionForReplication | ReadOnly | |
s3:GetObjectVersionTagging | Metadata | Retrieves tags of earlier object version. - http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGETtagging.html. |
s3:GetObjectVersionTorrent | ReadOnly | |
s3:GetPublicAccessBlock | Metadata | |
s3:GetReplicationConfiguration | Metadata | |
s3:GetStorageLensConfiguration | Metadata | |
s3:GetStorageLensConfigurationTagging | Metadata | |
s3:GetStorageLensDashboard | Metadata | |
s3:HeadBucket | Metadata | Helps to determine if a bucket exists and you have permission to access it. |
s3:HeadObject | ReadOnly | The HEAD operation retrieves metadata from an object without returning the object itself. This depends in s3:GetObject permission. This operation is useful if you're only interested in an object's metadata. |
s3:ListAccessPoints | Metadata | |
s3:ListAccessPointsForObjectLambda | Metadata | |
s3:ListAllMyBuckets | Metadata | |
s3:ListBucket | Metadata | |
s3:ListBucketByTags | Metadata | |
s3:ListBucketIntelligentTieringConfigurations | Metadata | |
s3:ListBucketMultipartUploads | Metadata | |
s3:ListBucketVersions | Metadata | |
s3:ListJobs | Metadata | |
s3:ListMultipartUploadParts | Metadata | |
s3:ListMultiRegionAccessPoints | Metadata | |
s3:ListRegionalBuckets | Metadata | |
s3:ListStorageLensConfigurations | Metadata | |
s3:ObjectOwnerOverrideToBucketOwner | Admin | |
s3:PutAccelerateConfiguration | Admin | Admins can manage transfer acceleration for buckets. |
s3:PutAccessPointConfigurationForObjectLambda | Admin | |
s3:PutAccessPointPolicy | Admin | |
s3:PutAccessPointPolicyForObjectLambda | Admin | |
s3:PutAccessPointPublicAccessBlock | Admin | |
s3:PutAccountPublicAccessBlock | Admin | |
s3:PutAnalyticsConfiguration | Admin | Covers DeleteAnalyticsConfiguration. |
s3:PutBucketAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
s3:PutBucketCORS | Whitelist | Can be used for cross-account access. |
s3:PutBucketIntelligentTieringConfiguration | Admin | |
s3:PutBucketLogging | Whitelist | Turbot automates logging settings. |
s3:PutBucketNotification | Operator | |
s3:PutBucketObjectLockConfiguration | Admin | |
s3:PutBucketOwnershipControls | Admin | |
s3:PutBucketPolicy | Admin | |
s3:PutBucketPublicAccessBlock | Admin | |
s3:PutBucketReplication | Whitelist | |
s3:PutBucketRequestPayment | None | Can be used for cross-account access. |
s3:PutBucketTagging | Operator | Covers DeleteBucketTagging. |
s3:PutBucketVersioning | Operator | |
s3:PutBucketWebsite | Admin | Website management is safe but requires anonymous access to be granted to the bucket for it to work. |
s3:PutEncryptionConfiguration | Admin | |
s3:PutIntelligentTieringConfiguration | Admin | |
s3:PutInventoryConfiguration | Admin | Covers DeleteInventoryConfiguration. |
s3:PutJobTagging | Admin | |
s3:PutLifecycleConfiguration | Admin | Bucket management is restricted to Admins. Covers PutBucketLifecycle; PutBucketLifecycleConfiguration; DeleteBucketLifecycle. |
s3:PutMetricsConfiguration | Admin | Covers DeleteMetricsConfiguration. |
s3:PutMultiRegionAccessPointPolicy | Admin | |
s3:PutObject | Operator | Covers CompleteMultipartUpload; CreateMultipartUpload; UploadPart; UploadPartCopy. |
s3:PutObjectAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
s3:PutObjectLegalHold | Admin | |
s3:PutObjectLockConfiguration | Admin | |
s3:PutObjectRetention | Operator | |
s3:PutObjectTagging | Operator | Covers DeleteObjectTagging. |
s3:PutObjectVersionAcl | Whitelist | Per AWS guidelines Turbot considers ACLs deprecated but still supports them through an option - http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc |
s3:PutObjectVersionTagging | Operator | Enables to associate tag to object based on versionId. http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTtagging.html. |
s3:PutPublicAccessBlock | Admin | |
s3:PutReplicationConfiguration | Whitelist | In a versioning-enabled bucket Admins can create a replication configuration (or replace an existing one if present) and can also be used for cross-account access. |
s3:PutStorageLensConfiguration | Admin | |
s3:PutStorageLensConfigurationTagging | Admin | |
s3:ReplicateDelete | Whitelist | |
s3:ReplicateObject | Whitelist | |
s3:ReplicateTags | Whitelist | |
s3:RestoreObject | Operator | |
s3:SelectObjectContent | ReadOnly | |
s3:SubmitMultiRegionAccessPointRoutes | Admin | |
s3:UpdateJobPriority | Operator | |
s3:UpdateJobStatus | Operator | |
s3:WriteGetObjectResponse | Admin |
Learn More About Guardrails
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0
@turbot/aws-kms ^5.0.0
Resource Types
Control Types
- AWS > S3 > Account > CMDB
- AWS > S3 > Account > Discovery
- AWS > S3 > Account > Public Access Block
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
- AWS > S3 > Bucket > Access Logging
- AWS > S3 > Bucket > Active
- AWS > S3 > Bucket > Approved
- AWS > S3 > Bucket > CMDB
- AWS > S3 > Bucket > Configured
- AWS > S3 > Bucket > Discovery
- AWS > S3 > Bucket > Encryption at Rest
- AWS > S3 > Bucket > Encryption in Transit
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
- AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements > Approved
- AWS > S3 > Bucket > Public Access Block
- AWS > S3 > Bucket > Tags
- AWS > S3 > Bucket > Usage
- AWS > S3 > Bucket > Versioning
Policy Types
- AWS > S3 > API Enabled
- AWS > S3 > Account > CMDB
- AWS > S3 > Account > Public Access Block
- AWS > S3 > Account > Public Access Block > Settings
- AWS > S3 > Approved Regions [Default]
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
- AWS > S3 > Bucket > ACL > Trusted Access > Canonical IDs
- AWS > S3 > Bucket > ACL > Trusted Access > Groups
- AWS > S3 > Bucket > Access Logging
- AWS > S3 > Bucket > Access Logging > Bucket
- AWS > S3 > Bucket > Access Logging > Key Prefix
- AWS > S3 > Bucket > Active
- AWS > S3 > Bucket > Active > Age
- AWS > S3 > Bucket > Active > Budget
- AWS > S3 > Bucket > Active > Last Modified
- AWS > S3 > Bucket > Approved
- AWS > S3 > Bucket > Approved > Budget
- AWS > S3 > Bucket > Approved > Custom
- AWS > S3 > Bucket > Approved > Regions
- AWS > S3 > Bucket > Approved > Usage
- AWS > S3 > Bucket > CMDB
- AWS > S3 > Bucket > Configured
- AWS > S3 > Bucket > Configured > Claim Precedence
- AWS > S3 > Bucket > Configured > Source
- AWS > S3 > Bucket > Encryption at Rest
- AWS > S3 > Bucket > Encryption at Rest > Customer Managed Key
- AWS > S3 > Bucket > Encryption in Transit
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
- AWS > S3 > Bucket > Policy > Trusted Access > Accounts
- AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
- AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
- AWS > S3 > Bucket > Policy > Trusted Access > Services
- AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements > Approved
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit
- AWS > S3 > Bucket > Policy Statements > Approved > Rules
- AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services [Deprecated]
- AWS > S3 > Bucket > Public Access Block
- AWS > S3 > Bucket > Public Access Block > Settings
- AWS > S3 > Bucket > Regions
- AWS > S3 > Bucket > Tags
- AWS > S3 > Bucket > Tags > Template
- AWS > S3 > Bucket > Usage
- AWS > S3 > Bucket > Usage > Limit
- AWS > S3 > Bucket > Versioning
- AWS > S3 > Enabled
- AWS > S3 > Permissions
- AWS > S3 > Permissions > Levels
- AWS > S3 > Permissions > Levels > ACL Administration
- AWS > S3 > Permissions > Levels > Access Logging Administration
- AWS > S3 > Permissions > Levels > CORS Administration
- AWS > S3 > Permissions > Levels > Cross Replication Administration
- AWS > S3 > Permissions > Levels > Modifiers
- AWS > S3 > Permissions > Lockdown
- AWS > S3 > Permissions > Lockdown > API Boundary
- AWS > S3 > Regions
- AWS > S3 > Tags Template [Default]
- AWS > S3 > Trusted Accounts [Default]
- AWS > S3 > Trusted Identity Providers [Default]
- AWS > S3 > Trusted Organizations [Default]
- AWS > S3 > Trusted Services [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3
Release Notes
5.22.0 (2023-09-06)
What's new?
AWS/S3/Admin
andAWS/S3/Metadata
now include permissions for Multi-Region Access Point Routes.
5.21.0 (2023-05-29)
What's new?
- Resource's metadata will now also include
createdBy
details in Turbot CMDB.
5.20.0 (2023-04-06)
What's new?
- Added support for
aws_s3_bucket_policy
Terraform resource forAWS > S3 > Bucket
.
Bug fixes
- We've updated the runtime of the lambda functions to node 16. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
5.19.0 (2023-03-15)
What's new?
- Added support for
aws_s3_bucket_lifecycle_configuration
andaws_s3_bucket_acl
Terraform resources forAWS > S3 > Bucket
.
5.18.0 (2022-12-08)
What's new?
- Users can now validate Principal Organization Paths (
aws:PrincipalOrgPaths
) in bucket policy conditions. To get started, set theAWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions
policy.
Policy Types
Added
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions
5.17.3 (2022-11-01)
Bug fixes
- The
AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
policy now also supportsForAnyValue:StringLike
operator for theaws:PrincipalOrgPaths
condition.
5.17.2 (2022-08-23)
Action Types
Removed
- AWS > S3 > Bucket > Disable Encryption in Transit
5.17.1 (2022-08-18)
Bug fixes
- The
AWS > S3 > Bucket > Disable all Block Public Access settings
andAWS > S3 > Bucket > Enable all Block Public Access settings
quick actions would not show up on the Turbot console due to incorrect internal references. This is fixed and you will now be able to Enable/Disable Block Public Access settings on S3 Buckets with a click of a button.
5.17.0 (2022-07-25)
What's new?
In v5.6.0, we deprecated the
AWS > S3 > Bucket > Policy Statements > Approved
control and its policies in favour of the newAWS > S3 > Bucket > Policy > Trusted Access
control; however, because theAWS > S3 > Bucket > Policy Statements > Approved > Rules
policy adds Object Control List (OCL) functionality which is not available inAWS > S3 > Bucket > Policy > Trusted Access > Approved
control, this policy is still useful.The
AWS > S3 > Bucket > Policy Statements > Approved
control, and theAWS > S3 > Bucket > Policy Statements > Approved > Rules
,AWS > S3 > Bucket > Policy Statements > Approved > Encryption In Transit
,AWS > S3 > Bucket > Policy Statements > Approved > Encryption At Rest
andAWS > S3 > Bucket > Policy Statements > Approved > Compiled Rules
policies are no longer considered deprecated and are available for use again.
Control Types
Renamed
- AWS > S3 > Bucket > Policy Statements [Deprecated] to AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved
Policy Types
Renamed
- AWS > S3 > Bucket > Policy Statements [Deprecated] to AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption at Rest [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption in Transit [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Rules
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] > Compiled Rules [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts [Deprecated]
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers [Deprecated]
- AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated] to AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services [Deprecated]
5.16.0 (2022-07-19)
Action Types
Added
- AWS > S3 > Bucket > Disable Encryption in Transit
- AWS > S3 > Bucket > Disable all Block Public Access settings
- AWS > S3 > Bucket > Enable Encryption in Transit
- AWS > S3 > Bucket > Enable all Block Public Access settings
- AWS > S3 > Bucket > Set Encryption at Rest to AWS Managed Key
- AWS > S3 > Bucket > Set Encryption at Rest to AWS SSE
- AWS > S3 > Bucket > Set Encryption at Rest to Customer Managed Key
- AWS > S3 > Bucket > Set Encryption at Rest to None
5.15.1 (2022-07-13)
Bug fixes
- The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.
5.15.0 (2022-07-12)
What's new?
- Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actions
button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information. - README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
Action Types
Added
- AWS > S3 > Bucket > Disable Versioning
- AWS > S3 > Bucket > Enable Versioning
- AWS > S3 > Bucket > Set Tags
- AWS > S3 > Bucket > Skip alarm for Active control
- AWS > S3 > Bucket > Skip alarm for Active control [90 days]
- AWS > S3 > Bucket > Skip alarm for Approved control
- AWS > S3 > Bucket > Skip alarm for Approved control [90 days]
- AWS > S3 > Bucket > Skip alarm for Encryption at Rest control
- AWS > S3 > Bucket > Skip alarm for Encryption at Rest control [90 days]
- AWS > S3 > Bucket > Skip alarm for Tags control
- AWS > S3 > Bucket > Skip alarm for Tags control [90 days]
5.14.0 (2022-06-01)
What's new?
- The
AWS > S3 > Bucket
CMDB will now also include information about Object Lock Configuration on the bucket.
5.13.0 (2022-02-14)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custom
policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- We've improved the process of deleting resources from Turbot if their CMDB policy was set to
Enforce: Disabled
. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.
Policy Types
Added
- AWS > S3 > Bucket > Approved > Custom
5.12.0 (2022-01-04)
What's new?
AWS/S3/Admin
andAWS/S3/Metadata
now include permissions for Access Point, Bucket Intelligent Tiering Configuration and Bucket Ownership Controls.
5.11.0 (2021-07-20)
What's new?
AWS/S3
permission levels now includeJob
,Object Lock Config
,Public Access Block
andReplicate
related permissions.
5.10.0 (2021-07-09)
What's new?
- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
5.9.0 (2021-06-24)
What's new?
AWS/S3/Admin
now includes storage lens management permissions.
5.8.1 (2021-04-27)
Bug fixes
- We've improved the descriptions for
AWS > S3 > Bucket > Public Access Block > Settings
andAWS > S3 > Account > Public Access Block > Settings
policies to clearly indicate what each policy value means.
5.8.0 (2021-02-18)
What's new?
- We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
- The
AWS > S3 > Bucket > Active
control will now check if an inactive bucket is empty before attempting to delete it to avoid errors.
5.7.0 (2021-02-05)
What's new?
In a previous version, we added the
AWS > S3 > Bucket > Policy > Trusted Access
control to help you manage who can access your buckets based on their bucket policies. To further help you secure your buckets, we've added theAWS > S3 > Bucket > ACL > Trusted Access
control, which allows you to configure which AWS accounts and groups can be granted access through the bucket's access control list (ACL).To get started with this new control, please review the
AWS > S3 > Bucket > ACL > Trusted Access
policy and its subpolicies.
Control Types
Added
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
Policy Types
Added
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
- AWS > S3 > Bucket > ACL > Trusted Access > Canonical IDs
- AWS > S3 > Bucket > ACL > Trusted Access > Groups
Action Types
Added
- AWS > S3 > Bucket > Set ACL Trusted Access
5.6.6 (2021-01-14)
Bug fixes
- The
AWS > S3 > Bucket > CMDB
control will now show a proper error message if we are unable to calls3:HeadBucket
due to aForbidden
error.
5.6.5 (2021-01-07)
What's new?
- The
AWS > S3 > Bucket > Public Access Block
control will now display the result for each public access block setting in the control data to easily identify if any setting is not set according to theAWS > S3 > Bucket > Public Access Block > Settings
policy.
5.6.4 (2020-12-28)
Bug fixes
- We've improved the consistency of error notification messages for several bucket controls, like the
AWS > S3 > Bucket > Public Access Block
control.
5.6.3 (2020-12-17)
Bug fixes
- Controls run faster now when in the
tbd
andskipped
states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbd
andskipped
, resulting in faster and lighter control runs. - The
AWS > S3 > Policy Statements [Deprecated] > Approved [Deprecated]
policy description had incorrect references to VPC security groups. This issue has now been fixed.
5.6.2 (2020-12-11)
Bug fixes
- For buckets created via a CloudFormation stack, the
AWS > S3 > Bucket > Encryption at Rest
andAWS > S3 > Bucket > Encryption in Transit
controls would sometimes create their bucket policies before the stack finished creating its bucket policies. This would result in the CloudFormation stack rolling back due to a bucket policy conflict. This issue is now fixed and the controls will now wait a few minutes before creating or updating bucket policies on new S3 buckets created through CloudFormation stacks to prevent conflicts.
5.6.1 (2020-12-07)
Bug fixes
- We've optimized the GraphQL queries for various controls when they're in the
tbd
andskipped
states. You won't notice any difference but they should run a lot lighter now.
5.6.0 (2020-12-04)
Warning
The
AWS > S3 > Bucket > Policy Statements > Approved
control has been deprecated and replaced by theAWS > S3 > Bucket > Policy > Trusted Access
control. In the next major version (v6.0.0), theAWS > S3 > Bucket > Policy Statements > Approved
control will be removed.Please note that a key difference between these controls is that the new
AWS > S3 > Bucket > Policy > Trusted Access
control will only check bucket policy statements that grant access with"Effect": "Allow"
, so statements like Turbot's encryption in transit statement that denies any S3 action not usingaws:SecureTransport
will not be checked by this control.We recommend that you migrate any
AWS > S3 > Bucket > Policy Statements > Approved
policy settings currently set in your workspace to instead use the newAWS > S3 > Bucket > Policy > Trusted Access
policies based on the mappings below:Old Policy New Policy AWS > S3 > Bucket > Policy Statements > Approved AWS > S3 > Bucket > Policy > Trusted Access AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts AWS > S3 > Bucket > Policy > Trusted Access > Accounts AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services AWS > S3 > Bucket > Policy > Trusted Access > Services AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit N/A AWS > S3 > Bucket > Policy Statements > Approved > Rules N/A N/A AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities N/A AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
Bug fixes
- We've updated various resources' Discovery and CMDB controls to ensure array properties are consistently sorted in the CMDB.
Control Types
Added
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
Renamed
- AWS > S3 > Bucket > Policy Statements to AWS > S3 > Bucket > Policy Statements [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated]
Policy Types
Added
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
- AWS > S3 > Bucket > Policy > Trusted Access > Accounts
- AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
- AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
- AWS > S3 > Bucket > Policy > Trusted Access > Services
- AWS > S3 > Trusted Accounts [Default]
- AWS > S3 > Trusted Identity Providers [Default]
- AWS > S3 > Trusted Organizations [Default]
- AWS > S3 > Trusted Services [Default]
Renamed
- AWS > S3 > Bucket > Policy Statements to AWS > S3 > Bucket > Policy Statements [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption at Rest [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Encryption in Transit [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Rules to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] > Compiled Rules [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Accounts [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Identity Providers [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services to AWS > S3 > Bucket > Policy Statements [Deprecated] > Approved [Deprecated] > Trusted Services [Deprecated]
Action Types
Added
- AWS > S3 > Bucket > Set Policy Trusted Access
5.5.5 (2020-11-02)
Bug fixes
- The
AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts
policy now acceptscloudfront
as a valid value for easier matching of CloudFront origin access identity (OAI) ARNs.
5.5.4 (2020-10-30)
Bug fixes
- We've updated the
AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts
policy to only accept valid values in the form of AWS account IDs as strings or integers.
5.5.3 (2020-10-28)
Bug fixes
- We've fixed an issue that caused the
AWS > S3 > Bucket > Policy Statements > Approved
control to incorrectly parse any bucket policy statements that contained a principal with a CloudFront Origin Access Identity user ARN, e.g.,arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH1HDMB1FH2TC
. - In several recent versions, we had released changes that we thought had fixed an error upserting a large amount of buckets in the
AWS > S3 > Bucket > Discovery
control. Turns out we were wrong and the issue still persists. Now we've included another fix that really should resolve the error and get the control running smoothly again.
5.5.2 (2020-10-27)
Bug fixes
- We have made further improvements to
AWS > S3 > Bucket > Discovery
controls to ensure that they can handle large upserts into our CMDB more reliably without running into errors.
5.5.1 (2020-10-21)
Bug fixes
AWS > S3 > Bucket > Discovery
controls would sometimes go into anerror
state when we tried to upsert a large number of buckets into our CMDB. This issue has now been fixed.
5.5.0 (2020-10-15)
What's new?
- The title of
AWS > S3 > Bucket > Policy Statements > Approved
control has been renamed to be consistent with other policy types & control types.
Control Types
Renamed
- AWS > S3 > Bucket > Policy to AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy > Approved to AWS > S3 > Bucket > Policy Statements > Approved
5.4.4 (2020-10-14)
Bug fixes
- The CMDB data for buckets now always includes the
Versioning.MFADelete
property, which is set toDisabled
by default (in the case that MFA delete has never been enabled before for the bucket).
5.4.3 (2020-09-22)
Bug fixes
- We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.
5.4.2 (2020-09-15)
Bug fixes
- The descriptions of controls and policies of
AWS > S3 > Bucket > Encryption at Rest
andAWS > S3 > Bucket > Encryption in Transit
have been improved to provide more details about their usage.
5.4.1 (2020-09-08)
Bug fixes
- After creating an S3 bucket with the same properties as an existing one, AWS will send a successful CloudTrail event instead of returning an error that the bucket already exists. When we received such events, the real-time event handler for buckets did not handle it properly, resulting in the metadata create timestamp getting updated incorrectly for the bucket and its policy. We now handle these events better and will not update metadata create timestamps for existing buckets and their policies.
5.4.0 (2020-09-03)
What's new?
- We've renamed the service's default regions policy from
Regions [Default]
toRegions
to be consistent with our other regions policies.
5.3.11 (2020-08-14)
Bug fixes
- The
Policy
field for bucket resources is now properly and consistently sorted.
5.3.10 (2020-08-11)
Bug fixes
- Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.
5.3.9 (2020-08-11)
Bug fixes
- In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
5.3.8 (2020-07-29)
Bug fixes
AWS > S3 > Bucket > Access Logging
control will now remain in skipped state for Turbot managed logging buckets.
5.3.7 (2020-07-13)
Bug fixes
- Updated various resource configurations to provide better compatibility with AWS China regions.
5.3.6 (2020-07-11)
Bug fixes
- In AWS China, the
GetBucketAccelerateConfiguration
API is not supported and throws an error if invoked. TheAWS > S3 > Bucket > CMDB
control was not handling this error correctly, which caused the control to move toerror
. We've fixed this issue and the control is running smoothly again.
5.3.5 (2020-07-09)
Bug fixes
- When listing buckets through the AWS S3 API, the S3 service returns different results for the
CreationDate
based on the endpoint queried. Only queries to the endpoints in the S3 master regions (us-east-1
,us-gov-west-1
,cn-north-1
) actually return theCreationDate
, other endpoints incorrectly return the last modified timestamp. OurAWS > S3 > Bucket > Discovery
control made this API call without using the S3 master region endpoint, so theCreationDate
property may have been incorrectly set to the (always later) last modified date. This has been fixed and now all buckets will first try to use the S3 master region and fall back to the specific region the control is running in when listing buckets. TheCreationDate
property will now have the correct timestamp, unless access to the S3 master region is blocked in that account.
5.3.4 (2020-07-02)
Bug fixes
- While attempting to remove unapproved bucket policy statements in the
AWS > S3 > Bucket > Policy > Approved
control, sometimes we would fail to remove statements that containedPrincipal: "*"
. This issue has been fixed.
5.3.3 (2020-06-29)
Bug fixes
- A duplicate permission in S3 was causing the
AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3
policy to fail compilation. This duplicate permission has been removed and the policy can compile again.
5.3.2 (2020-06-26)
Bug fixes
- Sometimes when updating CMDB for resources with tags that have empty string values, e.g.,
[{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}]
, we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.
5.3.1 (2020-06-26)
Bug fixes
- Several real-time events for buckets were not being handled properly, which sometimes resulted in outdated CMDB entries. These events included updates to CORS configurations, lifecycle rules, replication rules, and bucket public access block configurations. This issue has been fixed and all of these events now trigger CMDB updates properly.
- Several bucket CMDB properties were not being updated properly if they were enabled and then disabled in the AWS console. For instance, if default encryption was set to
AES-256
and then set toNone
, the bucket's CMDB entry would still have data indicating default encryption wasAES-256
. This issue has been fixed and all properties should reflect the resource's current state. - The
AWS > S3 > Bucket > Encryption at Rest
control would sometimes go into error state when a bucket was first created, even if theAWS > S3 > Bucket > Encryption at Rest
policy was set toSkip
. This has been fixed.
Policy Types
Renamed
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > S3 to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3
5.3.0 (2020-06-18)
Control Types
Added
- AWS > S3 > Bucket > Access Logging
Policy Types
Added
- AWS > S3 > Bucket > Access Logging
- AWS > S3 > Bucket > Access Logging > Bucket
- AWS > S3 > Bucket > Access Logging > Key Prefix
Action Types
Added
- AWS > S3 > Bucket > Update Access Logging
5.2.0 (2020-06-15)
Policy Types
Added
- AWS > S3 > Bucket > Active > Budget
- AWS > S3 > Bucket > Approved > Budget
Action Types
Added
- AWS > S3 > Bucket > Set Encryption in Transit
Removed
- AWS > S3 > Bucket > Set Encryption At Transit
5.1.7 (2020-05-07)
Bug fixes
- The
AWS > S3 > Bucket > Encryption at Rest
control would not update the bucket policy with the intended encryption at rest settings if the bucket did not have an existing bucket policy. This has been fixed. - When the
AWS > S3 > Bucket > Encryption at Rest
policy was set toEnforce: AWS managed key
, the control was incorrectly adding a bucket policy statement that would only allow the KMS key in theAWS > S3 > Bucket > Encryption at Rest > Customer Managed Key
policy, instead of only allowing the AWS KMS key. This statement has been fixed and is now enforcing the correct encryption at rest setting. - When the
AWS > S3 > Bucket > Encryption at Rest
policy was set toEnforce: Customer managed key
, the control was incorrectly adding a bucket policy statement that would deny the KMS key in theAWS > S3 > Bucket > Encryption at Rest > Customer Managed Key
policy, instead of denying the AWS KMS key. This statement has been fixed and is now enforcing the correct encryption at rest setting.
Policy Types
Renamed
- AWS > S3 > Bucket > Configured > Precedence to AWS > S3 > Bucket > Configured > Claim Precedence