Top / Amazon Web Service / AWS Amazon S3 / Bucket

AWS Amazon S3 Bucket

This page shows how to write Terraform and CloudFormation for Amazon S3 Bucket and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_s3_bucket (Terraform)

The Bucket in Amazon S3 can be configured in Terraform with the resource name aws_s3_bucket. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L7
resource "aws_s3_bucket" "module1-state" {
  bucket = "mypizdiuchky-state"

  versioning {
    enabled = true
  }
s3-gitlab-storage.tf#L8
resource "aws_s3_bucket" "registry-bucket" {
  bucket = "gitlab-container-registry-123"
  acl    = "public-read-write"
}

resource "aws_s3_bucket" "artifacts-bucket" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_s3_bucket

There are 3 settings in aws_s3_bucket that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure S3 bucket access policy is well configured

It is better to configure the S3 bucket access policy properly to limit it unless explicitly required.

risk-label

Ensure S3 bucket versoning is enabled

It is better to enable versioning of the S3 bucket to preserve, retrieve, and restore old versions of every object. It may help handle availability and integrity issues.

risk-label

Ensure S3 bucket logging is enabled

It's better to enable S3 bucket logging. S3 bucket logging helps audit activities related to the bucket.

Review your AWS Amazon S3 settings

You can check if the aws_s3_bucket setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides a S3 bucket resource. -> This functionality is for managing S3 in an AWS Partition. To manage S3 on Outposts, see the aws_s3control_bucket resource.

>> from Terraform Registry

Tips: Best Practices for The Other AWS Amazon S3 Resources

In addition to the aws_s3_bucket_public_access_block, AWS Amazon S3 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_s3_bucket_public_access_block

Ensure S3 bucket-level Public Access Block restricts public bucket policies

It is better to enable S3 bucket-level Public Access Block if you don't need public buckets.

Review your AWS Amazon S3 settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::S3::Bucket (CloudFormation)

The Bucket in S3 can be configured in CloudFormation with the resource name AWS::S3::Bucket. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

mugshot-s3.cfn.yml#L29
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref MugShotCodeBucketName

  SubmissionMugShotBucket:
    Type: AWS::S3::Bucket
reference-using-sub.yml#L27
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub '${Topic.TopicName}-bucket'

  S3Bucket2:
    Type: AWS::S3::Bucket
dl-bucket-public-check-unit-test.yml#L18
        Type: AWS::S3::Bucket
  expectations:
    rules:
      delta_s3_public_access_control: FAIL
- name: MyTest4
  input:
s3.yml#L15
    Type: AWS::S3::Bucket
    Properties:
      BucketName: cfd-shared-content
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
template.yml#L118
    Type: AWS::S3::Bucket
      Properties:
        BucketName: "at-hella-calibrations"
  BuildAUBucket:
    Type: AWS::S3::Bucket
      Properties:
s3_bucket_with_wildcards.json#L4
      "Type" : "AWS::S3::Bucket",
      "Properties" : {
        "BucketName" : "fakebucketfakebucket"
      }
    },
S3.json#L3
  "resourceType" : "AWS::S3::Bucket",
  "properties" : [ {
    "propertyName" : "AccessControl",
    "propertyType" : "String",
    "required" : false
  }, {
serverless-state.json#L21
            "Type": "AWS::S3::Bucket",
            "Properties": {
              "BucketEncryption": {
                "ServerSideEncryptionConfiguration": [
                  {
                    "ServerSideEncryptionByDefault": {
serverless-state.json#L20
            "Type": "AWS::S3::Bucket",
            "Properties": {
              "BucketEncryption": {
                "ServerSideEncryptionConfiguration": [
                  {
                    "ServerSideEncryptionByDefault": {
serverless-state.json#L20
            "Type": "AWS::S3::Bucket"
          },
          "TransformLogGroup": {
            "Type": "AWS::Logs::LogGroup",
            "Properties": {
              "LogGroupName": "/aws/lambda/thumbnail-creator-dev-transform"

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::S3::Bucket resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack.

To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to retain the bucket or to delete the bucket. For more information, see DeletionPolicy Attribute.

Important You can only delete empty buckets. Deletion fails for buckets that have contents.

>> from AWS CloudFormation Documentation

The Other Related AWS Amazon S3 Resources

Frequently asked questions

What is AWS Amazon S3 Bucket?

AWS Amazon S3 Bucket is a resource for Amazon S3 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon S3 Bucket?

For Terraform, the mirnujAtom/terraform-aws-modern-application-workshop and jay-jain/aws-terraform source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the victorsalaun/mugshot-aws-serverless, org-formation/org-formation-cli and amit873/CloudFormation_Templates source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents