AWS Amazon S3 Bucket
This page shows how to write Terraform and CloudFormation for Amazon S3 Bucket and write them securely.
aws_s3_bucket (Terraform)
The Bucket in Amazon S3 can be configured in Terraform with the resource name aws_s3_bucket
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_s3_bucket" "module1-state" {
bucket = "mypizdiuchky-state"
versioning {
enabled = true
}
resource "aws_s3_bucket" "registry-bucket" {
bucket = "gitlab-container-registry-123"
acl = "public-read-write"
}
resource "aws_s3_bucket" "artifacts-bucket" {
Security Best Practices for aws_s3_bucket
There are 3 settings in aws_s3_bucket that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure S3 bucket access policy is well configured
It is better to configure the S3 bucket access policy properly to limit it unless explicitly required.
Ensure S3 bucket versoning is enabled
It is better to enable versioning of the S3 bucket to preserve, retrieve, and restore old versions of every object. It may help handle availability and integrity issues.
Ensure S3 bucket logging is enabled
It's better to enable S3 bucket logging. S3 bucket logging helps audit activities related to the bucket.
Parameters
-
acceleration_status
optional computed - string -
acl
optional - string -
arn
optional computed - string -
bucket
optional computed - string -
bucket_domain_name
optional computed - string -
bucket_prefix
optional - string -
bucket_regional_domain_name
optional computed - string -
force_destroy
optional - bool -
hosted_zone_id
optional computed - string -
id
optional computed - string -
policy
optional - string -
region
optional computed - string -
request_payer
optional computed - string -
tags
optional - map from string to string -
website_domain
optional computed - string -
website_endpoint
optional computed - string -
cors_rule
list block-
allowed_headers
optional - list of string -
allowed_methods
required - list of string -
allowed_origins
required - list of string -
expose_headers
optional - list of string -
max_age_seconds
optional - number
-
-
grant
set block-
id
optional - string -
permissions
required - set of string -
type
required - string -
uri
optional - string
-
-
lifecycle_rule
list block-
abort_incomplete_multipart_upload_days
optional - number -
enabled
required - bool -
id
optional computed - string -
prefix
optional - string -
tags
optional - map from string to string -
expiration
list block-
date
optional - string -
days
optional - number -
expired_object_delete_marker
optional - bool
-
-
noncurrent_version_expiration
list block-
days
optional - number
-
-
noncurrent_version_transition
set block-
days
optional - number -
storage_class
required - string
-
-
transition
set block-
date
optional - string -
days
optional - number -
storage_class
required - string
-
-
-
logging
set block-
target_bucket
required - string -
target_prefix
optional - string
-
-
object_lock_configuration
list block-
object_lock_enabled
required - string -
rule
list block-
default_retention
list block
-
-
-
replication_configuration
list block-
role
required - string -
rules
set block-
id
optional - string -
prefix
optional - string -
priority
optional - number -
status
required - string -
destination
list block-
account_id
optional - string -
bucket
required - string -
replica_kms_key_id
optional - string -
storage_class
optional - string -
access_control_translation
list block-
owner
required - string
-
-
-
filter
list block -
source_selection_criteria
list block-
sse_kms_encrypted_objects
list block-
enabled
required - bool
-
-
-
-
-
server_side_encryption_configuration
list block-
rule
list block-
bucket_key_enabled
optional - bool -
apply_server_side_encryption_by_default
list block-
kms_master_key_id
optional - string -
sse_algorithm
required - string
-
-
-
-
versioning
list block-
enabled
optional - bool -
mfa_delete
optional - bool
-
-
website
list block-
error_document
optional - string -
index_document
optional - string -
redirect_all_requests_to
optional - string -
routing_rules
optional - string
-
Explanation in Terraform Registry
Provides a S3 bucket resource. -> This functionality is for managing S3 in an AWS Partition. To manage S3 on Outposts, see the
aws_s3control_bucket
resource.
Tips: Best Practices for The Other AWS Amazon S3 Resources
In addition to the aws_s3_bucket_public_access_block, AWS Amazon S3 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_s3_bucket_public_access_block
Ensure S3 bucket-level Public Access Block restricts public bucket policies
It is better to enable S3 bucket-level Public Access Block if you don't need public buckets.
AWS::S3::Bucket (CloudFormation)
The Bucket in S3 can be configured in CloudFormation with the resource name AWS::S3::Bucket
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref MugShotCodeBucketName
SubmissionMugShotBucket:
Type: AWS::S3::Bucket
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub '${Topic.TopicName}-bucket'
S3Bucket2:
Type: AWS::S3::Bucket
Type: AWS::S3::Bucket
expectations:
rules:
delta_s3_public_access_control: FAIL
- name: MyTest4
input:
Type: AWS::S3::Bucket
Properties:
BucketName: cfd-shared-content
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
Type: AWS::S3::Bucket
Properties:
BucketName: "at-hella-calibrations"
BuildAUBucket:
Type: AWS::S3::Bucket
Properties:
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : "fakebucketfakebucket"
}
},
"resourceType" : "AWS::S3::Bucket",
"properties" : [ {
"propertyName" : "AccessControl",
"propertyType" : "String",
"required" : false
}, {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"Type": "AWS::S3::Bucket"
},
"TransformLogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": "/aws/lambda/thumbnail-creator-dev-transform"
Parameters
-
AccelerateConfiguration
optional - AccelerateConfiguration -
AccessControl
optional - String -
AnalyticsConfigurations
optional - List of AnalyticsConfiguration -
BucketEncryption
optional - BucketEncryption -
BucketName
optional - String -
CorsConfiguration
optional - CorsConfiguration -
IntelligentTieringConfigurations
optional - List of IntelligentTieringConfiguration -
InventoryConfigurations
optional - List of InventoryConfiguration -
LifecycleConfiguration
optional - LifecycleConfiguration -
LoggingConfiguration
optional - LoggingConfiguration -
MetricsConfigurations
optional - List of MetricsConfiguration -
NotificationConfiguration
optional - NotificationConfiguration -
ObjectLockConfiguration
optional - ObjectLockConfiguration -
ObjectLockEnabled
optional - Boolean -
OwnershipControls
optional - OwnershipControls -
PublicAccessBlockConfiguration
optional - PublicAccessBlockConfiguration -
ReplicationConfiguration
optional - ReplicationConfiguration -
Tags
optional - List of Tag -
VersioningConfiguration
optional - VersioningConfiguration -
WebsiteConfiguration
optional - WebsiteConfiguration
Explanation in CloudFormation Registry
The
AWS::S3::Bucket
resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack.To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to retain the bucket or to delete the bucket. For more information, see DeletionPolicy Attribute.
Important You can only delete empty buckets. Deletion fails for buckets that have contents.
Frequently asked questions
What is AWS Amazon S3 Bucket?
AWS Amazon S3 Bucket is a resource for Amazon S3 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon S3 Bucket?
For Terraform, the mirnujAtom/terraform-aws-modern-application-workshop and jay-jain/aws-terraform source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the victorsalaun/mugshot-aws-serverless, org-formation/org-formation-cli and amit873/CloudFormation_Templates source code examples are useful. See the CloudFormation Example section for further details.