Policy types for @turbot/aws-s3
- AWS > S3 > API Enabled
- AWS > S3 > Account > CMDB
- AWS > S3 > Account > Public Access Block
- AWS > S3 > Account > Public Access Block > Settings
- AWS > S3 > Approved Regions [Default]
- AWS > S3 > Bucket > ACL
- AWS > S3 > Bucket > ACL > Trusted Access
- AWS > S3 > Bucket > ACL > Trusted Access > Canonical IDs
- AWS > S3 > Bucket > ACL > Trusted Access > Groups
- AWS > S3 > Bucket > Access Logging
- AWS > S3 > Bucket > Access Logging > Bucket
- AWS > S3 > Bucket > Access Logging > Key Prefix
- AWS > S3 > Bucket > Active
- AWS > S3 > Bucket > Active > Age
- AWS > S3 > Bucket > Active > Budget
- AWS > S3 > Bucket > Active > Last Modified
- AWS > S3 > Bucket > Approved
- AWS > S3 > Bucket > Approved > Budget
- AWS > S3 > Bucket > Approved > Custom
- AWS > S3 > Bucket > Approved > Regions
- AWS > S3 > Bucket > Approved > Usage
- AWS > S3 > Bucket > CMDB
- AWS > S3 > Bucket > Configured
- AWS > S3 > Bucket > Configured > Claim Precedence
- AWS > S3 > Bucket > Configured > Source
- AWS > S3 > Bucket > Encryption at Rest
- AWS > S3 > Bucket > Encryption at Rest > Customer Managed Key
- AWS > S3 > Bucket > Encryption in Transit
- AWS > S3 > Bucket > Policy
- AWS > S3 > Bucket > Policy > Trusted Access
- AWS > S3 > Bucket > Policy > Trusted Access > Accounts
- AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
- AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions
- AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
- AWS > S3 > Bucket > Policy > Trusted Access > Services
- AWS > S3 > Bucket > Policy Statements
- AWS > S3 > Bucket > Policy Statements > Approved
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest
- AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit
- AWS > S3 > Bucket > Policy Statements > Approved > Rules
- AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers [Deprecated]
- AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services [Deprecated]
- AWS > S3 > Bucket > Public Access Block
- AWS > S3 > Bucket > Public Access Block > Settings
- AWS > S3 > Bucket > Regions
- AWS > S3 > Bucket > Tags
- AWS > S3 > Bucket > Tags > Template
- AWS > S3 > Bucket > Usage
- AWS > S3 > Bucket > Usage > Limit
- AWS > S3 > Bucket > Versioning
- AWS > S3 > Enabled
- AWS > S3 > Permissions
- AWS > S3 > Permissions > Levels
- AWS > S3 > Permissions > Levels > ACL Administration
- AWS > S3 > Permissions > Levels > Access Logging Administration
- AWS > S3 > Permissions > Levels > CORS Administration
- AWS > S3 > Permissions > Levels > Cross Replication Administration
- AWS > S3 > Permissions > Levels > Modifiers
- AWS > S3 > Permissions > Lockdown
- AWS > S3 > Permissions > Lockdown > API Boundary
- AWS > S3 > Regions
- AWS > S3 > Tags Template [Default]
- AWS > S3 > Trusted Accounts [Default]
- AWS > S3 > Trusted Identity Providers [Default]
- AWS > S3 > Trusted Organizations [Default]
- AWS > S3 > Trusted Services [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-s3
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3
AWS > S3 > API Enabled
Configure whether the AWS S3 API is enabled.
Note: Disabling the service disables the API for ALL users
and roles, and Guardrails will have no access to the API.
tmod:@turbot/aws-s3#/policy/types/s3ApiEnabled
[ "Enabled", "Disabled", "Enabled if AWS > S3 > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > S3 > Enabled" ], "default": "Enabled"}
AWS > S3 > Account > CMDB
Configure whether to record and synchronize details for the AWS S3 account into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > S3 > Account > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-s3#/policy/types/s3AccountCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > S3 > Account > Public Access Block
Configure the AWS S3 buckets account level Public Access Block
tmod:@turbot/aws-s3#/policy/types/s3AccountPublicAccessBlock
[ "Skip", "Check: Per `Public Access Block > Settings`", "Enforce: Per `Public Access Block > Settings`"]
{ "type": "string", "enum": [ "Skip", "Check: Per `Public Access Block > Settings`", "Enforce: Per `Public Access Block > Settings`" ], "example": [ "Skip" ], "default": "Skip"}
AWS > S3 > Account > Public Access Block > Settings
Define the Public Access Block that can be used to restrict the bucket access. This policy provides a default for Public Access Block in AWS Account, however you can explicitly override the setting.
Block Public ACLs: Block public access to buckets and objects granted through new access control lists (ACLs).<br/>
Block Public Bucket Policies: Block public access to buckets and objects granted through new public bucket or access point policies.<br/>
Ignore Public ACLs: Block public access to buckets and objects granted through any access control lists (ACLs).<br/>
Restrict Public Bucket Policies: Block public and cross-account access to buckets and objects through any public bucket or access point policies.<br/>
tmod:@turbot/aws-s3#/policy/types/s3AccountPublicAccessBlockSettings
{ "type": "array", "items": { "type": "string", "enum": [ "Block Public ACLs", "Block Public Bucket Policies", "Ignore Public ACLs", "Restrict Public Bucket Policies" ] }, "default": []}
AWS > S3 > Approved Regions [Default]
A list of AWS regions in which AWS S3 resources are approved for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all AWS S3 resources' Approved > Regions policies.
tmod:@turbot/aws-s3#/policy/types/s3ApprovedRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > S3 > Bucket > ACL
tmod:@turbot/aws-s3#/policy/types/bucketAcl
AWS > S3 > Bucket > ACL > Trusted Access
Manage trusted access for AWS S3 Buckets via Bucket ACLs.
AWS allows S3 Buckets to be shared with other AWS accounts via ACLs. This policy allows you to configure whether such sharing is allowed, and to which principals.
If set to Enforce: Revoke untrusted access
, access to non-trusted entities will be removed.
tmod:@turbot/aws-s3#/policy/types/bucketAclTrustedAccess
[ "Skip", "Check: Trusted Access", "Enforce: Revoke untrusted access"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access", "Enforce: Revoke untrusted access" ], "default": "Skip"}
AWS > S3 > Bucket > ACL > Trusted Access > Canonical IDs
List of AWS Canonical User IDs that are trusted for cross-account
access in the AWS S3 Bucket ACL.
The *
wildcard allows
any Canonical User ID grantee, and is not recommended.
The []
empty array denies
any Canonical User ID grantee.
tmod:@turbot/aws-s3#/policy/types/bucketAclTrustedCanonicalIds
{ "type": "array", "default": "*", "items": { "type": "string", "pattern": "^[a-z0-9]{64,}$" }}
AWS > S3 > Bucket > ACL > Trusted Access > Groups
List of predefined AWS Groups that are trusted for cross-account access in the AWS S3 Bucket ACL.
tmod:@turbot/aws-s3#/policy/types/bucketAclTrustedGroups
{ "type": "array", "items": { "type": "string", "enum": [ "AllUsers", "AuthenticatedUsers", "LogDelivery" ] }, "default": [ "AllUsers", "AuthenticatedUsers", "LogDelivery" ]}
AWS > S3 > Bucket > Access Logging
Define the Access Logging settings required for AWS > S3 > Bucket
.AWS > S3 > Bucket
provides access logs that capture detailed information
about requests sent to your bucket. Each log contains information such as
the time the request was received, the client's IP address, latencies,
request paths, and server responses. You can use these access logs to
analyze traffic patterns and troubleshoot issues.
tmod:@turbot/aws-s3#/policy/types/bucketAccessLogging
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Access Logging > Bucket", "Enforce: Disabled", "Enforce: Enabled to Access Logging > Bucket" ], "example": [ "Skip" ], "default": "Skip"}
AWS > S3 > Bucket > Access Logging > Bucket
The name of an S3 Bucket to which the Bucket
access logs will be delivered.
The S3 Bucket must already exist and the S3 service must be allowed write access.
The bucket should reside in same account and same region as of the Bucket.
example:<br /> testbucket<br /> turbotbucket<br />
tmod:@turbot/aws-s3#/policy/types/bucketAccessLoggingBucket
"{\n turbotLoggingBucket: policy(uri: \"aws#/policy/types/loggingBucketDefault\")\n}\n"
"{% if $.turbotLoggingBucket %}"{{ $.turbotLoggingBucket }}"{% else %}""{% endif %}"
{ "type": "string"}
AWS > S3 > Bucket > Access Logging > Key Prefix
An optional S3 key prefix to which the AWS > S3 > Bucket
access logs will be written.
The file names of the access logs use the following format:bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_load-balancer-id_end-time_ip-address_random-string.log.gz
tmod:@turbot/aws-s3#/policy/types/bucketAccessLoggingBucketPrefix
{ "type": "string", "pattern": "^.{1,200}$", "default": ""}
AWS > S3 > Bucket > Active
Determine the action to take when an AWS S3 bucket, based on the AWS > S3 > Bucket > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > S3 > Bucket > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/aws-s3#/policy/types/bucketActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
AWS > S3 > Bucket > Active > Age
The age after which the AWS S3 bucket
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > S3 > Bucket > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-s3#/policy/types/bucketActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
AWS > S3 > Bucket > Active > Budget
The impact of the budget state on the active control. This policy allows you to force
buckets to inactive based on the current budget state, as reflected inAWS > Account > Budget > State
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > S3 > Bucket > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-s3#/policy/types/bucketActiveBudget
[ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Force inactive if Budget > State is Over or higher", "Force inactive if Budget > State is Critical or higher", "Force inactive if Budget > State is Shutdown" ], "example": [ "Skip" ], "default": "Skip"}
AWS > S3 > Bucket > Active > Last Modified
The number of days since the AWS S3 bucket
was last modified before it is considered inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (AWS > S3 > Bucket > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note the contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/aws-s3#/policy/types/bucketActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
AWS > S3 > Bucket > Approved
Determine the action to take when an AWS S3 bucket is not approved based on AWS > S3 > Bucket > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/aws-s3#/policy/types/bucketApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new and empty"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new and empty" ], "example": [ "Check: Approved" ], "default": "Skip"}
AWS > S3 > Bucket > Approved > Budget
The policy allows you to set buckets to unapproved based on the current budget state, as reflected in AWS > Account > Budget > State
This policy will be evaluated by the Approved control. If an AWS S3 bucket is not matched by the approved list, it will be subject to the action specified in the AWS > S3 > Bucket > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-s3#/policy/types/bucketApprovedBudget
[ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown"]
{ "type": "string", "enum": [ "Skip", "Unapproved if Budget > State is Over or higher", "Unapproved if Budget > State is Critical or higher", "Unapproved if Budget > State is Shutdown" ], "example": [ "Unapproved if Budget > State is Shutdown" ], "default": "Skip"}
AWS > S3 > Bucket > Approved > Custom
Determine whether the AWS S3 bucket is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS S3 bucket is not approved, it will be subject to the action specified in the AWS > S3 > Bucket > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/aws-s3#/policy/types/bucketApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
AWS > S3 > Bucket > Approved > Regions
A list of AWS regions in which AWS S3 buckets are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an AWS S3 bucket is created in a region that is not in the approved list, it will be subject to the action specified in the AWS > S3 > Bucket > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-s3#/policy/types/bucketApprovedRegions
"{\n regions: policy(uri: \"tmod:@turbot/aws-s3#/policy/types/s3ApprovedRegionsDefault\")\n}\n"
"{% if $.regions | length == 0 %} [] {% endif %}{% for item in $.regions %}- '{{ item }}'\n{% endfor %}"
AWS > S3 > Bucket > Approved > Usage
Determine whether the AWS S3 bucket is allowed to exist.
This policy will be evaluated by the Approved control. If an AWS S3 bucket is not approved, it will be subject to the action specified in the AWS > S3 > Bucket > Approved
policy.
See Approved for more information.
tmod:@turbot/aws-s3#/policy/types/bucketApprovedUsage
[ "Not approved", "Approved", "Approved if AWS > S3 > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if AWS > S3 > Enabled" ], "example": [ "Not approved" ], "default": "Approved if AWS > S3 > Enabled"}
AWS > S3 > Bucket > CMDB
Configure whether to record and synchronize details for the AWS S3 bucket into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in AWS > S3 > Bucket > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/aws-s3#/policy/types/bucketCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
AWS > S3 > Bucket > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/aws-s3#/policy/types/bucketConfigured
[ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
AWS > S3 > Bucket > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/aws-s3#/policy/types/bucketConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > S3 > Bucket > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/aws-s3#/policy/types/bucketConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
AWS > S3 > Bucket > Encryption at Rest
Define the Encryption at Rest settings required for AWS > S3 > Bucket
.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The Encryption at Rest
control compares the encryption settings against the encryption policies for the resource
(AWS > S3 > Bucket > Encryption at Rest > *
), raises an alarm, and takes the defined enforcement action.
Note: The below policy values are deprecated and will be removed in the next major mod version because they are no longer supported by AWS.
| Deprecated Values |
|-------------------------------------|
| Check: None |
| Check: None or higher |
| Enforce: None |
| Enforce: None or higher |
tmod:@turbot/aws-s3#/policy/types/bucketEncryptionAtRest
[ "Skip", "Check: None", "Check: None or higher", "Check: AWS SSE", "Check: AWS SSE or higher", "Check: AWS managed key", "Check: AWS managed key or higher", "Check: Customer managed key", "Check: Encryption at Rest > Customer Managed Key", "Enforce: None", "Enforce: None or higher", "Enforce: AWS SSE", "Enforce: AWS SSE or higher", "Enforce: AWS managed key", "Enforce: AWS managed key or higher", "Enforce: Customer managed key", "Enforce: Encryption at Rest > Customer Managed Key"]
{ "type": "string", "enum": [ "Skip", "Check: None", "Check: None or higher", "Check: AWS SSE", "Check: AWS SSE or higher", "Check: AWS managed key", "Check: AWS managed key or higher", "Check: Customer managed key", "Check: Encryption at Rest > Customer Managed Key", "Enforce: None", "Enforce: None or higher", "Enforce: AWS SSE", "Enforce: AWS SSE or higher", "Enforce: AWS managed key", "Enforce: AWS managed key or higher", "Enforce: Customer managed key", "Enforce: Encryption at Rest > Customer Managed Key" ], "example": [ "Check: None or higher" ], "default": "Skip"}
AWS > S3 > Bucket > Encryption at Rest > Customer Managed Key
Define the KMS key ID for encryption at rest.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption to your desired level.
The Encryption at Rest
control compares the encryption settings against the encryption policies for the resource
(AWS > S3 > Bucket > Encryption at Rest > *
), raises an alarm, and takes the defined enforcement action
Please make sure the key defined in the template has required permissions.<br />example:<br /> alias/aws/ebs<br /> ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br />
tmod:@turbot/aws-s3#/policy/types/bucketEncryptionAtRestCustomerManagedKey
"{\n defaultKey: policy(uri: \"aws-kms#/policy/types/keyDefaultCustomerManagedKey\")\n}\n"
"{{ $.defaultKey }}"
{ "anyOf": [ { "type": "string", "pattern": "^alias/[a-zA-Z0-9:/_-]{1,249}$" }, { "type": "string", "pattern": "^[-a-z0-9-]{1,255}$" }, { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:kms:[a-z]{2}(-gov)?-[a-z]+-[0-9]:[0-9]{12}:key/[-a-z0-9-]{1,255}$" } ], "tests": [ { "description": "valid - if keyArn", "input": "arn:aws:kms:us-east-1:039305405804:key/ddc06e04-ce5f-4995-b758-c2b6c510e8fd" }, { "description": "valid - if aliasName", "input": "alias/aws/ebs" }, { "description": "valid - if keyId", "input": "ddc06e04-ce5f-4995-b758-c2b6c510e8fd" } ]}
AWS > S3 > Bucket > Encryption in Transit
Define the Encryption in Transit settings required for AWS > S3 > Bucket
.
The Encryption in Transit control compares the Encryption in Transit settings against the Encryption in Transit policies for the resource
(AWS > S3 > Bucket > Encryption in Transit), raises an alarm, and takes the defined enforcement action.
The Encryption in Transit control examines the bucket's policy to find a match for the below statement. An exact match across all statement fields is required for encryption in transit to be considered enabled.<br />{<br /> Sid: "MustBeEncryptedInTransit",<br /> Effect: "Deny",<br /> Principal: "*",<br /> Action: "s3:*",<br /> Resource: ['arn:${partition}:s3:::${bucketName}', 'arn:${partition}:s3:::${bucketName}/*'],<br /> Condition: {<br /> Bool: {<br /> "aws:SecureTransport": "false"<br /> }<br /> }<br />}<br />
tmod:@turbot/aws-s3#/policy/types/encryptionInTransit
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}
AWS > S3 > Bucket > Policy
tmod:@turbot/aws-s3#/policy/types/bucketPolicy
AWS > S3 > Bucket > Policy > Trusted Access
Take an action when AWS S3 bucket policy is not trusted based on theAWS > S3 > Bucket > Policy > Trusted Access > *
policies.
The Trusted Access control evaluates the bucket policy against the list of allowed
members in each of the Trusted Access sub-policies (Trusted Access > Accounts,
Trusted Access > Services etc.), this control raises an alarm and takes the
defined enforcement action.
The account that owns the bucket will always be trusted, even if its account ID is
not included in the Trusted Accounts policy.
If set to Enforce: Revoke untrusted access
, access to non-trusted
members will be removed.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedAccess
[ "Skip", "Check: Trusted Access", "Enforce: Revoke untrusted access"]
{ "type": "string", "enum": [ "Skip", "Check: Trusted Access", "Enforce: Revoke untrusted access" ], "default": "Skip"}
AWS > S3 > Bucket > Policy > Trusted Access > Accounts
List of AWS Account IDs that are trusted for cross-account access in the
AWS S3 bucket policy.
Note that Trusted Access > Accounts
and Trusted Access ><br />Organizations
are evaluated independently. To have access, an AWS
principal must be allowed in Trusted Access > Accounts
AND be a
member of an Organization that is allowed in Trusted Access ><br />Organizations
.<br />example:<br /> - "123456789012"<br />
Note: Setting the policy to an Empty
array will remove all accounts.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedAccounts
"{\n accounts: policy(uri: \"tmod:@turbot/aws-s3#/policy/types/s3PolicyTrustedAccounts\")\n}\n"
"{% if $.accounts | length == 0 %}[]{% endif %}{% for item in $.accounts %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\d{12}$|^\\*$)" }}
AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
List of CloudFront Origin Access Identities (OAIs) that are trusted for cross-account access in the AWS S3 bucket policy.
The expected format is an array of CloudFront OAI ARNs
or OAI IDs
.<br />example:<br /> - "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH1HDMB1FH2TC"<br /> - "EH1HDMB1FH2TC"<br />
Note: Setting the policy to an Empty
array will remove all CloudFront OAIs.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedCloudFrontOriginAccessIdentities
{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\*$|^[A-Z0-9]+$|^arn:aws(-us-gov|-cn)?:iam::cloudfront:user/CloudFront Origin Access Identity [A-Z0-9]+$)" }, "default": [ "*" ]}
AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
List of Identity Providers that are trusted for cross-account access in the
AWS S3 bucket policy.<br />example:<br /> - www.google.com<br /> - www.facebook.com<br />
Note: Setting the policy to an Empty
array will remove all identity providers.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedIdentityProviders
"{\n identityProviders: policy(uri: \"tmod:@turbot/aws-s3#/policy/types/s3PolicyTrustedIdentityProviders\")\n}\n"
"{% if $.identityProviders | length == 0 %}[]{% endif %}{% for item in $.identityProviders %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string" }}
AWS > S3 > Bucket > Policy > Trusted Access > Organization Path Restrictions
List of AWS Organization Paths that are trusted for cross-account access in
the AWS S3 bucket policy, or '' to skip the Organization Path Restriction.
Note that Trusted Access > Accounts
and Trusted Access ><br />Organization Paths
are evaluated independently. To have access, an AWS
principal must be allowed in Trusted Access > Accounts
AND be a
member of the Organization Path that is allowed in Trusted Access ><br />Organization Paths
.
Note: Trusted Access > Organization Path Restrictions
are ONLY
applied to AWS principals. Services and Federated principals do
NOT contain the aws:PrincipalOrgPaths
condition key, and thus
cannot be validated against the Organization Path.
Also, please note that this policy will validate organization paths against ForAnyValue:StringLike
conditional operator for a given bucket policy condition.
```
example:
- "o-333333333/r-wxnb/ou-wxnb-dasdtpaq/ou-"
- "o-444444444/r-wxnb/ou-wxnb-dfadtpaq/*"
```
tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedOrganizationPaths
{ "default": [ "*" ], "type": "array", "items": { "type": "string" }}
AWS > S3 > Bucket > Policy > Trusted Access > Organization Restrictions
List of AWS Organization IDs that are trusted for cross-account access in
the AWS S3 bucket policy, or '*' to skip the Organization Restriction.
Note that Trusted Access > Accounts
and Trusted Access ><br />Organizations
are evaluated independently. To have access, an AWS
principal must be allowed in Trusted Access > Accounts
AND be a
member of an Organization that is allowed in Trusted Access ><br />Organizations
.
Note: Trusted Access > Organization Restrictions
are ONLY
applied to AWS principals. Services and Federated principals do
NOT contain the aws:PrincipalOrgId
condition key, and thus
cannot be validated against the Organization.<br />example:<br /> - "o-333333333"<br /> - "o-c3a5y4wd52"<br />
tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedOrganizations
"{\n organizations: policy(uri: \"tmod:@turbot/aws-s3#/policy/types/s3PolicyTrustedOrganizations\")\n}\n"
"{% if $.organizations | length == 0 %}[]{% endif %}{% for item in $.organizations %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)" }}
AWS > S3 > Bucket > Policy > Trusted Access > Services
List of AWS Services that are trusted for access in the AWS S3 bucket policy.<br />example:<br /> - sns.amazonaws.com<br /> - ec2.amazonaws.com<br />
Note: Setting the policy to an Empty
array will remove all services.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedServices
"{\n services: policy(uri: \"tmod:@turbot/aws-s3#/policy/types/s3PolicyTrustedServices\")\n}\n"
"{% if $.services | length == 0 %}[]{% endif %}{% for item in $.services %}- '{{ item }}'\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)" }}
AWS > S3 > Bucket > Policy Statements
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatements
AWS > S3 > Bucket > Policy Statements > Approved
Configure Bucket Policy Statements checking. This policy defines whether
to verify the bucket policy statements are approved, as well as the
subsequent action to take on unapproved statements. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved principal will be
revoked from the bucket policy.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatementsApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "example": [ "Skip" ], "default": "Skip"}
AWS > S3 > Bucket > Policy Statements > Approved > Encryption at Rest
Determine whether bucket policy statements generated by theAWS > S3 > Bucket > Encryption at Rest
are approved.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatementsApprovedEncryptionAtRest
[ "Enabled: Approve statements from `AWS > S3 > Bucket > Encryption at Rest`"]
{ "type": "string", "enum": [ "Enabled: Approve statements from `AWS > S3 > Bucket > Encryption at Rest`" ], "default": "Enabled: Approve statements from `AWS > S3 > Bucket > Encryption at Rest`"}
AWS > S3 > Bucket > Policy Statements > Approved > Encryption in Transit
Determine whether bucket policy statements generated by theAWS > S3 > Bucket > Encryption in Transit
are approved.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatementsApprovedEncryptionInTransit
[ "Enabled: Approve statements from `AWS > S3 > Bucket > Encryption in Transit`"]
{ "type": "string", "enum": [ "Enabled: Approve statements from `AWS > S3 > Bucket > Encryption in Transit`" ], "default": "Enabled: Approve statements from `AWS > S3 > Bucket > Encryption in Transit`"}
AWS > S3 > Bucket > Policy Statements > Approved > Rules
An Object Control List (OCL) with a list of filter rules
to approve or reject bucket policy statements.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled
rules.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatementsApprovedRules
{ "type": "string", "default": "# Approve unmatched rules\nAPPROVE *", "x-schema-form": { "type": "textarea" }}
AWS > S3 > Bucket > Policy Statements > Approved > Rules > Compiled Rules
A read-only Object Control List (OCL) to approved or reject bucket policy statements
for a bucket.
This policy is generated by Guardrails.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatementsCompiledRules
{ "type": "string"}
AWS > S3 > Bucket > Policy Statements > Approved > Trusted Accounts [Deprecated]
Defines the AWS Accounts that can be allowed to access any bucket.
Examples:
- arn:aws:iam::560741234067:root
- 492552618977
- 123456789012
Note: This policy has been deprecated in v5.6.0 and will be removed in v6.0.0. It has been replaced by the AWS > S3 > Bucket > Policy > Trusted Access
policy.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatementsApprovedTrustedAwsAccounts
"{\n account {\n Id\n }\n}\n"
"- {{ $.account.Id }}"
{ "type": "array", "items": { "anyOf": [ { "type": "string", "pattern": "^arn:aws(-us-gov|-cn)?:iam::[0-9]{1,12}:[A-Za-z0-9_+=,.@-]{1,64}$" }, { "type": "string", "pattern": "^cloudfront$" }, { "type": "integer" }, { "type": "string", "pattern": "^[0-9]{12}$", "tests": [ { "description": "valid int - 123456789012", "input": 123456789012 }, { "description": "valid string - 123456789012", "input": "123456789012" }, { "description": "valid - leading zeros", "input": "001234567890" }, { "description": "invalid - contains char", "input": "a123456789012", "expected": false }, { "description": "invalid - too short", "input": 12345678901, "expected": false }, { "description": "invalid - too long", "input": 1234567890123, "expected": false } ], ".turbot": { "uri": "tmod:@turbot/aws#/definitions/accountId", "modUri": "tmod:@turbot/aws" } } ] }}
AWS > S3 > Bucket > Policy Statements > Approved > Trusted Identity Providers [Deprecated]
Defines the Identity Providers that can be allowed to access any bucket.
Examples:
- www.amazon.com
- arn:aws:iam::013122550996:saml-provider/idp1
Note: This policy has been deprecated in v5.6.0 and will be removed in v6.0.0. It has been replaced by the AWS > S3 > Bucket > Policy > Trusted Access
policy.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatementsApprovedTrustedIdentityProvider
{ "type": "array", "items": { "type": "string" }, "default": []}
AWS > S3 > Bucket > Policy Statements > Approved > Trusted Services [Deprecated]
Defines the AWS Services that can be allowed to access any bucket.
Examples:
- cloudtrail.amazonaws.com
- cloudwatch.amazonaws.com
Note: This policy has been deprecated in v5.6.0 and will be removed in v6.0.0. It has been replaced by the AWS > S3 > Bucket > Policy > Trusted Access
policy.
tmod:@turbot/aws-s3#/policy/types/bucketPolicyStatementsApprovedTrustedAwsServices
{ "type": "array", "items": { "type": "string", "pattern": "(^\\S+\\.amazonaws\\.com$)" }, "default": []}
AWS > S3 > Bucket > Public Access Block
Configure the AWS S3 buckets Bucket Level Public Access Block
tmod:@turbot/aws-s3#/policy/types/s3BucketPublicAccessBlock
[ "Skip", "Check: Per `Public Access Block > Settings`", "Enforce: Per `Public Access Block > Settings`"]
{ "type": "string", "enum": [ "Skip", "Check: Per `Public Access Block > Settings`", "Enforce: Per `Public Access Block > Settings`" ], "example": [ "Skip" ], "default": "Skip"}
AWS > S3 > Bucket > Public Access Block > Settings
Define the Public Access Block that can be used to restrict the bucket access. This policy provides a default for Public Access Block in AWS S3 Bucket, however you can explicitly override the setting.
Block Public ACLs: Block public access to buckets and objects granted through new access control lists (ACLs).<br/>
Block Public Bucket Policies: Block public access to buckets and objects granted through new public bucket or access point policies.<br/>
Ignore Public ACLs: Block public access to buckets and objects granted through any access control lists (ACLs).<br/>
Restrict Public Bucket Policies: Block public and cross-account access to buckets and objects through any public bucket or access point policies.<br/>
tmod:@turbot/aws-s3#/policy/types/s3BucketPublicAccessBlockSettings
{ "type": "array", "items": { "type": "string", "enum": [ "Block Public ACLs", "Block Public Bucket Policies", "Ignore Public ACLs", "Restrict Public Bucket Policies" ] }, "default": []}
AWS > S3 > Bucket > Regions
A list of AWS regions in which AWS S3 buckets are supported for use.
Any buckets in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/aws-s3#/policy/types/bucketRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/aws-s3#/policy/types/s3RegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > S3 > Bucket > Tags
Determine the action to take when an AWS S3 bucket tags are not updated based on the AWS > S3 > Bucket > Tags > *
policies.
The control ensure AWS S3 bucket tags include tags defined in AWS > S3 > Bucket > Tags > Template
.
Tags not defined in Bucket Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-s3#/policy/types/bucketTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
AWS > S3 > Bucket > Tags > Template
The template is used to generate the keys and values for AWS S3 bucket.
Tags not defined in Bucket Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/aws-s3#/policy/types/bucketTagsTemplate
[ "{\n account {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws-s3#/policy/types/s3TagsTemplate\" resourceId: \"{{ $.account.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > S3 > Bucket > Usage
Configure the number of AWS S3 buckets that can be used for this account and the current consumption against the limit.
You can configure the behavior of the control with this AWS > S3 > Bucket > Usage
policy.
tmod:@turbot/aws-s3#/policy/types/bucketUsage
[ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit"]
{ "type": "string", "enum": [ "Skip", "Check: Usage <= 85% of Limit", "Check: Usage <= 100% of Limit" ], "example": [ "Check: Usage <= 85% of Limit" ], "default": "Skip"}
AWS > S3 > Bucket > Usage > Limit
Maximum number of items that can be created for this account.
tmod:@turbot/aws-s3#/policy/types/bucketUsageLimit
{ "type": "integer", "minimum": 0, "default": 100}
AWS > S3 > Bucket > Versioning
Check if the AWS S3 bucket Versioning configuration is set correctly.
tmod:@turbot/aws-s3#/policy/types/bucketVersioning
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}
AWS > S3 > Enabled
Configure whether the AWS S3 service is enabled for users.
Note: Disabling the service in this policy does NOT disable the
API for Guardrails or SuperUsers
tmod:@turbot/aws-s3#/policy/types/s3Enabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
AWS > S3 > Permissions
Configure whether permissions policies are in effect for AWS S3.
This setting does not affect account level permissions (AWS/Admin, AWS/Owner, etc)
Note: The behavior of this policy depends on the value of AWS > Permissions
.
tmod:@turbot/aws-s3#/policy/types/s3Permissions
[ "Enabled", "Disabled", "Enabled if AWS > S3 > Enabled & AWS > S3 > API Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if AWS > S3 > Enabled & AWS > S3 > API Enabled" ], "example": [ "Enabled" ], "default": "Enabled if AWS > S3 > Enabled & AWS > S3 > API Enabled"}
AWS > S3 > Permissions > Levels
Define the permissions levels that can be used to grant access to an AWS account.
Permissions levels defined will appear in the UI to assign access to Guardrails users.
tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevels
[ "{\n item: account {\n turbot {\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
AWS > S3 > Permissions > Levels > ACL Administration
Determines which Guardrails permissions level can manage ACL Administration.
tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsAclAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
AWS > S3 > Permissions > Levels > Access Logging Administration
Determines which Guardrails permissions level can manage Access Logging Administration.
tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsAccessLoggingAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
AWS > S3 > Permissions > Levels > CORS Administration
Determines which Guardrails permissions level can manage CORS Administration.
tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsCorsAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
AWS > S3 > Permissions > Levels > Cross Replication Administration
Determines which Guardrails permissions level can manage Cross Replication Administration.
tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsCrossReplicationAdministration
[ "None", "Admin"]
{ "type": "string", "enum": [ "None", "Admin" ], "example": [ "None" ], "default": "None"}
AWS > S3 > Permissions > Levels > Modifiers
A map of AWS API to Guardrails Permission Level used to customize Guardrails' standard permissions.
You can add, remove or redefine the mapping of AWS API operations to Guardrails permissions levels here.
Note: Modifiers are cumulative - if you add a permission to the Metadata level, it is also
added to ReadOnly, Operator and Admin. Modifier policies set here apply ONLY to the AWS level"<br />example:<br /> - "glacier:createvault": admin<br /> - "glacier:ListVaults": metadata<br /> - "s3:DeleteBucket": none<br />
tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsModifiers
AWS > S3 > Permissions > Lockdown
tmod:@turbot/aws-s3#/policy/types/s3PermissionsLockdown
AWS > S3 > Permissions > Lockdown > API Boundary
Configure whether the AWS S3 API is enabled for all users and roles
in turbot-managed boundary policies.
Note: Disabling the service disables the API for ALL users
and roles, and Guardrails will have no access to the API.
tmod:@turbot/aws-s3#/policy/types/s3PermissionsLockdownApiBoundary
[ "Enabled if AWS > S3 > API Enabled"]
{ "type": "string", "enum": [ "Enabled if AWS > S3 > API Enabled" ], "example": [ "Enabled if AWS > S3 > API Enabled" ], "default": "Enabled if AWS > S3 > API Enabled"}
AWS > S3 > Regions
A list of AWS regions in which AWS S3 resources are supported for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all AWS S3 resources' Regions policies.
tmod:@turbot/aws-s3#/policy/types/s3RegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/aws#/policy/types/regionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
AWS > S3 > Tags Template [Default]
A template used to generate the keys and values for AWS S3 resources.
By default, all S3 resource Tags > Template policies will use this value.
tmod:@turbot/aws-s3#/policy/types/s3TagsTemplate
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/aws#/policy/types/defaultTagsTemplate\") {\n value\n }\n}\n"
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
AWS > S3 > Trusted Accounts [Default]
List of AWS Accounts that are trusted for access in the AWS S3 policy.
This policy is used by the Trusted Access
control to determine which members of type "account" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "013122550996"<br /> - "560741234067"<br />
Note: Setting the policy to Empty
array will remove all accounts.
tmod:@turbot/aws-s3#/policy/types/s3PolicyTrustedAccounts
"{\n trustedAccounts: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedAccounts\") {\n value\n }\n}\n"
"{% if $.trustedAccounts.value | length == 0 %}[]{% else %}{% for item in $.trustedAccounts.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string", "pattern": "^[0-9]{12}|^\\*$" }}
AWS > S3 > Trusted Identity Providers [Default]
List of AWS Identity Providers that are trusted for access in the AWS S3 policy.
This policy is used by the Trusted Access
control to determine which members of type "identity provider" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "www.amazon.com"<br /> - "graph.facebook.com"<br />
Note: Setting the policy to Empty
array will remove all identity providers.
tmod:@turbot/aws-s3#/policy/types/s3PolicyTrustedIdentityProviders
"{\n trustedIdentityProviders: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedIdentityProviders\") {\n value\n }\n}\n"
"{% if $.trustedIdentityProviders.value | length == 0 %}[]{% else %}{% for item in $.trustedIdentityProviders.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
AWS > S3 > Trusted Organizations [Default]
List of AWS Organizations that are trusted for access in the AWS S3 policy.
This policy is used by the Trusted Access
control to determine which members of type "organization" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "o-333333333"<br /> - "o-c3a5y4wd52"<br />
Note: Trusted Access > Organization Restrictions
are ONLY
applied to AWS principals. Services and Federated principals do
NOT contain the aws:PrincipalOrgId
condition key, and thus
cannot be validated against the Organization.
Setting the policy to Empty
array will remove all organizations.
tmod:@turbot/aws-s3#/policy/types/s3PolicyTrustedOrganizations
"{\n trustedOrganizations: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedOrganizations\") {\n value\n }\n}\n"
"{% if $.trustedOrganizations.value | length == 0 %}[]{% else %}{% for item in $.trustedOrganizations.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^o-[a-z0-9]{10,32}$|^\\*$)" }}
AWS > S3 > Trusted Services [Default]
List of AWS Services that are trusted for access in the AWS S3 policy.
This policy is used by the Trusted Access
control to determine which members of type "service" are allowed
to be granted access. You may use the '*' and '?' wildcard characters.<br />example:<br /> - "sns.amazonaws.com"<br /> - "ec2.amazonaws.com"<br />
Note: Setting the policy to Empty
array will remove all services.
tmod:@turbot/aws-s3#/policy/types/s3PolicyTrustedServices
"{\n trustedServices: policyValue(uri:\"tmod:@turbot/aws#/policy/types/trustedServices\") {\n value\n }\n}\n"
"{% if $.trustedServices.value | length == 0 %}[]{% else %}{% for item in $.trustedServices.value %}- '{{ item }}'\n{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string", "pattern": "(?:^\\S*\\.amazonaws\\.com$|^\\*$)" }}
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3
The CloudWatch Events event pattern used by the AWS S3 module to specify
which events to forward to the Guardrails Event Handlers.
tmod:@turbot/aws-s3#/policy/types/s3CustomEventPatterns
{ "type": "array", "items": { "type": "object", "properties": { "type": { "type": "object", "properties": { "title": { "type": "string" } } }, "value": { "type": "object", "properties": { "source": { "type": "array", "items": { "type": "string" } }, "detail-type": { "type": "array", "items": { "type": "string" } }, "detail": { "type": "object", "property": { "eventName": { "type": "array" } }, "required": [ "eventName" ] } }, "required": [ "source" ] } }, "required": [ "type" ] }, "default": [ { "type": { "title": "S3", "name": "s3" }, "value": { "source": [ "aws.s3" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventName": [ "CreateBucket", "DeleteBucket", "DeleteBucketCors", "DeleteBucketEncryption", "DeleteBucketLifecycle", "DeleteBucketPolicy", "DeleteBucketReplication", "DeleteBucketTagging", "DeleteBucketWebsite", "DeletePublicAccessBlock", "PutAccountPublicAccessBlock", "PutBucketAcl", "PutBucketCors", "PutBucketEncryption", "PutBucketIntelligentTieringConfiguration", "PutBucketLifecycle", "PutBucketLogging", "PutBucketNotification", "PutBucketObjectLockConfiguration", "PutBucketPolicy", "PutBucketPublicAccessBlock", "PutBucketReplication", "PutBucketRequestPayment", "PutBucketTagging", "PutBucketVersioning", "PutBucketWebsite", "PutPublicAccessBlock" ] } } } ]}
AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-s3
A read-only policy generated by Guardrails that lists the APIs that
should be added to the turbot-managed (hard) boundary policy,
thereby enabling them to be assigned to users and roles.
This value will change depending on the value of the value of theAWS > S3 > Permissions > Lockdown > API Boundary
policy
tmod:@turbot/aws-s3#/policy/types/awsCompiledApiBoundary
{ "type": "array"}
AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-s3
A calculated policy that Guardrails uses to create a compiled list
of ALL permissions for AWS S3 that is used as input to the
stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/aws-s3#/policy/types/awsLevelsCompiled
AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3
A calculated policy that Guardrails uses to create a compiled
list of ALL permissions for AWS S3 that is used as input
to the control that manages the IAM stack.
tmod:@turbot/aws-s3#/policy/types/awsCompiledServicePermissions