Terraform AWS S3 Bucket¶
Terraform module which creates S3 bucket resources on AWS with comprehensive features including versioning, encryption, lifecycle policies, replication, logging, and public access blocks.
Implemented Controls¶
The following compliance controls are implemented in this module.
- S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 buckets should have event notifications enabled
- S3 buckets should have lifecycle policies configured
- S3 bucket logging should be enabled
- S3 bucket MFA delete should be enabled
- S3 bucket ACLs should not be accessible to all authenticated user
- S3 bucket object lock should be enabled
- S3 bucket policy should prohibit public access
- S3 bucket cross-account permissions should be restricted
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 buckets static website hosting should be disabled
- S3 buckets with versioning enabled should have lifecycle policies configured
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
Compliance.tf registry endpoints¶
module "s3_bucket" {
source = "acscessentialeight.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "acscism2023.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "awscontroltower.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "awsgenai.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "awswellarchitected.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "cccsmedium.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "cis.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "cisv500.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "cisv600.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "cisv80ig1.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "eugmpannex11.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "fedramplow.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "fedrampmoderate.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "ffiec.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "gdpr.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "hipaa.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "iso27001.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "nist800171.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "nist80053.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "nistcsf.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "nydfs23.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "pcidss.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
module "s3_bucket" {
source = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "<version>"
# ... your arguments here
}
See the Technical Usage Guide to get started and read the Features section for more details on how to customize the module for your requirements.
Mapped compliance frameworks¶
ACSC-EE-ML3-7.9: Multi-factor authentication ML3
- S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
- S3 bucket logging should be enabled
- S3 bucket MFA delete should be enabled
- S3 bucket policy should prohibit public access
- S3 bucket cross-account permissions should be restricted
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
ISM-1392: Application control
ISM-1747: Operating system event logging
ISM-1814: Backup modification and deletion
CT-4.1.1: 4.1.1 - Disallow public read access to S3 buckets
CT-4.1.2: 4.1.2 - Disallow public write access to S3 buckets
CT-5.1.1: 5.1.1 - Disallow S3 buckets that are not versioning enabled
ACCUAI3.15: Update Frequency
SEC08-BP03: Automate data at rest protection
SEC08-BP04: Enforce access control
SUS04-BP03: Use policies to manage the lifecycle of your datasets
SC-28: Protection of Information at Rest
SI-12: Information Handling and Retention
11.10(a): Controls for closed systems
11.10(c): Controls for closed systems
11.10(e): Controls for closed systems
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 buckets should have lifecycle policies configured
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
2.1.3: Ensure MFA Delete is enable on S3 buckets
2.1.5: Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
3.3: Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
3.6: Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
2.1.2 Ensure MFA Delete is enabled on S3 buckets
3.1.2 Ensure MFA Delete is enabled on S3 buckets
8.1: Establish and Maintain an Audit Log Management Process
8.2: Collect Audit Logs
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
14: Electronic Signature
17: Archiving
AU-11: Audit Record Retention
SC-28 (1): Cryptographic Protection
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket logging should be enabled
- S3 bucket object lock should be enabled
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
164.312(a)(1): Technical Safeguards - 164.312(a)(1)
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 bucket logging should be enabled
- S3 bucket object lock should be enabled
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
A.12.4.3: Administrator and operator logs
3.3.8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
3.8.9: Protect the confidentiality of backup CUI at storage locations.
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket logging should be enabled
- S3 bucket object lock should be enabled
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
AC-3(4): Discretionary Access Control
AU-9(2): Store On Separate Physical Systems Or Components
SC-28(1): Cryptographic Protection
SI-14(2): Non-Persistent Information
10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.5.1: Audit log history is retained and available for analysis.
3.2.1: Storage of account data is kept to a minimum.
- S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 buckets should have event notifications enabled
- S3 buckets should have lifecycle policies configured
- S3 bucket MFA delete should be enabled
- S3 bucket policy should prohibit public access
- S3 bucket cross-account permissions should be restricted
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
PI1.5: The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives.
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 buckets should have event notifications enabled
- S3 buckets should have lifecycle policies configured
- S3 bucket logging should be enabled
- S3 bucket object lock should be enabled
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level