Resource Type: AWS > S3 > Bucket

Resource Context

Bucket is a part of the S3 service.

Each Bucket lives under a Region.

Controls

The primary controls for AWS > S3 > Bucket are:

• Access Logging
• ACL
• Active
• Allowed
• Approved
• CMDB
• Configured
• Discovery
• Encryption at Rest
• Encryption in Transit
• Intelligent Assessment
• Policy
• Policy Statements
• Public Access Block
• ServiceNow
• Stack [Native]
• Tags
• Usage
• Versioning

It is also targeted by these controls:

• AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure all S3 buckets employ encryption-at-rest (Manual)
• AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure S3 Bucket Policy is set to deny HTTP requests (Manual)
• AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure MFA Delete is enable on S3 buckets (Automated)
• AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual)
• AWS > CIS v1.4 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.05 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' (Automated)
• AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)
• AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)
• AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
• AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
• AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
• AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
• AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
• AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
• AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
• AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
• AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
• AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
• AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
• AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
• AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
• AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
• AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary
• AWS > CIS v4.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled
• AWS > CIS v4.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
• AWS > CIS v4.0 > 3 - Logging > 3.09 - Ensure that object-level logging for read events is enabled for S3 buckets
• AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
• AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
• AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary
• AWS > CIS v5.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled
• AWS > CIS v5.0 > 3 - Logging > 3.08 - Ensure that object-level logging for write events is enabled for S3 buckets
• AWS > CIS v5.0 > 3 - Logging > 3.09 - Ensure that object-level logging for read events is enabled for S3 buckets
• AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
• AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.02 - Ensure MFA Delete is enabled on S3 buckets
• AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.03 - Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary
• AWS > CIS v6.0 > 3 - Storage > 3.01 - Simple Storage Service (S3) > 3.01.04 - Ensure that S3 is configured with 'Block Public Access' enabled
• AWS > CIS v6.0 > 4 - Logging > 4.08 - Ensure that object-level logging for write events is enabled for S3 buckets
• AWS > CIS v6.0 > 4 - Logging > 4.09 - Ensure that object-level logging for read events is enabled for S3 buckets
• AWS > HIPAA > S3 > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > S3 > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > S3 > S3 bucket default encryption should be enabled
• AWS > HIPAA > S3 > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > S3 > S3 bucket logging should be enabled
• AWS > HIPAA > S3 > S3 bucket object lock should be enabled
• AWS > HIPAA > S3 > S3 bucket versioning should be enabled
• AWS > HIPAA > S3 > S3 buckets should enforce SSL
• AWS > HIPAA > S3 > S3 buckets should prohibit public read access
• AWS > HIPAA > S3 > S3 buckets should prohibit public write access
• AWS > HIPAA > S3 > S3 public access should be blocked at account and bucket levels
• AWS > NIST 800-53 > S3 > All S3 buckets should log S3 data events in CloudTrail
• AWS > NIST 800-53 > S3 > S3 bucket cross-region replication should be enabled
• AWS > NIST 800-53 > S3 > S3 bucket default encryption should be enabled
• AWS > NIST 800-53 > S3 > S3 bucket logging should be enabled
• AWS > NIST 800-53 > S3 > S3 bucket object lock should be enabled
• AWS > NIST 800-53 > S3 > S3 bucket versioning should be enabled
• AWS > NIST 800-53 > S3 > S3 buckets should enforce SSL
• AWS > NIST 800-53 > S3 > S3 buckets should prohibit public read access
• AWS > NIST 800-53 > S3 > S3 buckets should prohibit public write access
• AWS > NIST 800-53 > S3 > S3 public access should be blocked at account and bucket levels
• AWS > NIST 800-53 > S3 > S3 public access should be blocked at bucket levels
• AWS > PCI v3.2.1 > S3 > 1 S3 buckets should prohibit public write access
• AWS > PCI v3.2.1 > S3 > 2 S3 buckets should prohibit public read access
• AWS > PCI v3.2.1 > S3 > 3 S3 buckets should have cross-region replication enabled
• AWS > PCI v3.2.1 > S3 > 4 S3 buckets should have server-side encryption enabled
• AWS > PCI v3.2.1 > S3 > 5 S3 buckets should require requests to use Secure Socket Layer

Quick Actions

• Delete
• Disable all Block Public Access settings
• Disable Versioning
• Enable all Block Public Access settings
• Enable Encryption in Transit
• Enable Versioning
• Router
• Set ACL Trusted Access
• Set Encryption at Rest to AWS Managed Key
• Set Encryption at Rest to AWS SSE
• Set Encryption at Rest to Customer Managed Key
• Set Encryption at Rest to None
• Set Encryption in Transit
• Set Policy Trusted Access
• Set Public Access Block
• Set Tags
• Set Versioning
• Skip alarm for Active control
• Skip alarm for Active control [90 days]
• Skip alarm for Approved control
• Skip alarm for Approved control [90 days]
• Skip alarm for Encryption at Rest control
• Skip alarm for Encryption at Rest control [90 days]
• Skip alarm for Tags control
• Skip alarm for Tags control [90 days]
• Update Access Logging
• Update Default Encryption
• Update Default Encryption at Rest
• Update Tags

Category

• Storage

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/aws-s3#/resource/types/bucket

Category URI

tmod:@turbot/turbot#/resource/categories/storage

GraphQL

query resource(id: "tmod:@turbot/aws-s3#/resource/types/bucket") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/aws-s3#/resource/types/bucket'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/aws-s3#/resource/types/bucket"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/aws-s3#/resource/types/bucket';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/aws-s3#/resource/types/bucket"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/aws-s3#/resource/types/bucket' and notification_type in ('resource_updated', 'resource_created');