Skip to content

Terraform AWS S3 Bucket

S3 buckets with versioning, default encryption, public access blocks, bucket policies, access logging, lifecycle rules, replication, event notifications, and optional object lock controls.

19 controls enforced28 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "s3_bucket" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "cis.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "nis2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

module "s3_bucket" {
  source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "1.0"
}

module "s3_bucket" {
  source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML2-7.7: Multi-factor authentication ML2

ACSC-EE-ML3-5.3: Restrict administrative privileges ML3

ACSC-EE-ML3-7.9: Multi-factor authentication ML3

ACSC-EE-ML3-8.7: Regular backups ML3

ACSC-EE-ML3-8.8: Regular backups ML3

ISM-1392: Application control

ISM-1747: Operating system event logging

ISM-1814: Backup modification and deletion

4.1.1 - Disallow public read access to S3 buckets

4.1.2 - Disallow public write access to S3 buckets

5.1.1 - Disallow S3 buckets that are not versioning enabled

ACCUAI3.15: Update Frequency

SECAI3.4: Input Validation

Data protection

Detection

Identity and access management

Infrastructure protection

SEC08-BP03: Automate data at rest protection

SUS04-BP03: Use policies to manage the lifecycle of your datasets

SC-28: Protection of Information at Rest

SI-12: Information Handling and Retention

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records

11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period

11.10(d) Limiting system access to authorized individuals

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance

11.30 Controls for open systems

2 Storage

2.1.3: Ensure MFA Delete is enable on S3 buckets

2.1.5: Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

3.3: Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

3.6: Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

2 Storage

2.1 Simple Storage Service (S3)

3 Storage

3.1 Simple Storage Service (S3)

3.3 Configure Data Access Control Lists

4.6 Securely Manage Enterprise Assets and Software

8.1: Establish and Maintain an Audit Log Management Process

8.2 Collect Audit Logs

11.4 Establish and Maintain an Isolated Instance of Recovery Data

Booting Up: Things to Do First-1

Your Data-1

Your Data-2

Your Data-4

Your Systems-3

4.8 Validation - Data Transfer

5 Data

7.1 Data Storage - Damage Protection

7.2 Data Storage - Backups

14 Electronic Signature

16 Business Continuity

17 Archiving

Account Management (AC-2)

Account Management (AC-3)

Audit Events (AU-2)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

Denial Of Service Protection (SC-5)

Information System Backup (CP-9)

Information System Recovery And Reconstitution (CP-10)

Protection of Audit Information (AU-9)

Remote Access (AC-17)

Use of Cryptography (SC-13)

AC-2(4) Automated Audit Actions

AC-2(g)

AC-17(1) Automated Monitoring/Control

AC-21(b)

Access Enforcement (AC-3)

AU-2(a)(d)

AU-6(1)(3)

AU-9(2) Audit Backup On Separate Physical Systems / Components

AU-11: Audit Record Retention

AU-12(a)(c)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

Content of Audit Records (AU-3)

CP-9(b))

Denial Of Service Protection (SC-5)

Information Flow Enforcement (AC-4)

Information Handling and Retention (SI-12)

Information In Shared Resources (SC-4)

Information System Recovery And Reconstitution (CP-10)

Least Privilege (AC-6)

Protection of Information at Rest (SC-28)

SC-7(3) Access Points

SC-28 (1): Cryptographic Protection

Use of Cryptography (SC-13)

D2.MA.Ma.B.1

D2.MA.Ma.B.2

D3.DC.An.B.3

D3.DC.An.B.4

D3.PC.Am.B.12

D3.PC.Im.B.1

D5.DR.De.B.3

D5.IR.Pl.B.6

Article 32 Security of processing

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(1)(ii)(D): Administrative Safeguards

164.308(a)(3)(i) Workforce security

164.308(a)(3)(ii)(A) Authorization and/or supervision

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.308(a)(6)(ii) Response and reporting

164.308(a)(7)(i) Contingency plan

164.308(a)(7)(ii)(A) Data backup plan

164.308(a)(7)(ii)(B) Disaster recovery plan

164.308(a)(7)(ii)(C) Emergency mode operation plan

164.312(a)(1) Access control

164.312(a)(2)(i) Unique user identification

164.312(a)(2)(ii) Emergency access procedure

164.312(a)(2)(iv) Encryption and decryption

164.312(b) Audit controls

164.312(c)(1) Integrity

164.312(c)(2) Mechanism to authenticate electronic protected health information

164.312(e)(1) Transmission security

164.312(e)(2)(i) Integrity controls

164.312(e)(2)(ii) Encryption

164.314(b)(2)(iv): Organizational Requirements

A.8.1 User endpoint devices

A.8.3 Information access restriction

A.8.10 Information deletion

A.8.11 Data masking

A.8.14 Redundancy of information processing facilities

A.8.15 Logging

A.8.24 Use of cryptography

1 Policy on the security of network and information systems

3 Incident handling

4 Business continuity and crisis management

9 Cryptography

11 Access control

12 Asset management

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

3.1.3 Control the flow of CUI in accordance with approved authorizations

3.1.12: Monitor and control remote access sessions.

3.1.14 Route remote access via managed access control points

3.1.20: Verify and control/limit connections to and use of external systems.

3.3.1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions

3.3.3 Review and update logged events

3.3.8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities

3.5.10 Store and transmit only cryptographically-protected passwords

3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities

3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization

3.8.9: Protect the confidentiality of backup CUI at storage locations.

3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.16: Protect the confidentiality of CUI at rest.

3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks

3.14.7: Identify unauthorized use of organizational systems.

AC-2(4) Automated Audit Actions

AC-2(6) Dynamic Privilege Management

AC-3(1) Restricted Access To Privileged Functions

AC-3(4): Discretionary Access Control

AC-3(7): Role-Based Access Control

AC-3(10) Audited Override Of Access Control Mechanisms

AC-4(21) Physical Or Logical Separation Of Infomation Flows

AC-4(26) Audit Filtering Actions

AC-6: Least Privilege

AC-6(9)

AC-17(1) Monitoring And Control

AC-17(4)(a)

AC-17(9) Disconnect Or Disable Access

AC-17(10) Authenticate Remote Commands

AC-17(b)

Access Enforcement (AC-3)

AU-2(b)

AU-3(a)

AU-3(b)

AU-3(c)

AU-3(d)

AU-3(e)

AU-3(f)

AU-6(3) Correlate Audit Record Repositories

AU-6(4) Central Review And Analysis

AU-6(6) Correletion With Physical Monitoring

AU-6(9) Correletion With From Nontechnical Sources

AU-8(b)

AU-9(2): Store On Separate Physical Systems Or Components

AU-9(3) Cryptographic Protection

AU-12(1) System-Wide And Time-Correlated Audit Trial

AU-12(2) Standardized Formats

AU-12(3) Changes By Authorized Individuals

AU-12(4) Query Parameter Audits Of Personally Identifiable Information

AU-12(a)

AU-12(c)

AU-14(3) Remote Viewing And Listening

AU-14(a)

AU-14(b)

CA-7(b)

CM-5(1)(b)

CM-6(a)

CM-9(b)

Continuous Monitoring Strategy (PM-31)

CP-1(2)

CP-2(5) Continue Mission And Business Functions

CP-6(1) Separation From Primary Site

CP-6(2) Recovery Time And Recovery Point Objectives

CP-6(a)

CP-9(8): Cryptographic Protection

CP-9(a)

CP-9(b)

CP-9(c)

CP-9(d)

CP-10(2): Transaction Recovery

IA-3(3)(b)

MA-4(1)(a)

Media Access (MP-2)

Non-Repudiation (AU-10)

PM-11(b)

PM-14(a)(1)

PM-14(b)

PM-17(b)

SC-5(2) Capacity, Bandwidth, And Redundancy

SC-7(2) Public Access

SC-7(3) Access Points

SC-7(7) Split Tunneling For Remote Devices

SC-7(9)(a)

SC-7(9)(b)

SC-7(11) Restrict Incoming communications Traffic

SC-7(12) Host-Based Protection

SC-7(16) Prevent Discovery Of System Components

SC-7(20) Prevent Discovery Of System Components

SC-7(21) Isolation Of System Components

SC-7(24)(b)

SC-7(25) Unclassified National Security System Connections

SC-7(26) Classified National Security System Connections

SC-7(27) Unclassified Non-National Security System Connections

SC-7(28): Connections To Public Networks

SC-7(a)

SC-7(b)

SC-7(c)

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SC-13(a)

SC-16(1) Integrity Verification

SC-28(1): Cryptographic Protection

SI-1(1)(c)

SI-1(a)(2)

SI-3(8)(b)

SI-4(2) Automated Tools For Real-Time Analysis

SI-4(17) Integrated Situational Awareness

SI-4(20) Privileged Users

SI-7(8) Auditing Capability For Significant Events

SI-10(1)(c)

SI-13(5) Failover Capability

SI-14(2): Non-Persistent Information

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

System Recovery And Reconstitution (CP-10)

Thin Nodes (SC-25)

DE.DP-4

ID.BE-5

ID.RA-1

PR.AC-3

PR.DS-01

PR.DS-1

PR.DS-3

PR.DS-4

PR.DS-5

PR.IP-1

PR.IP-4

PR.PT-4

PR.PT-5

RC.CO-04

RC.RP-1

RC.RP-02

RS.AN-07

500.02(a)

500.02(b)(5)

500.07 Access Privileges and Management

500.14(a)

500.15(a)

1.2.8: Network security controls (NSCs) are configured and maintained.

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

3.2.1: Storage of account data is kept to a minimum.

3.3.1.1: Sensitive authentication data (SAD) is not stored after authorization.

3.3.1.3: Sensitive authentication data (SAD) is not stored after authorization.

3.3.2: Sensitive authentication data (SAD) is not stored after authorization.

3.3.3: Sensitive authentication data (SAD) is not stored after authorization.

3.5.1: Primary account number (PAN) is secured wherever it is stored.

3.5.1.3: Primary account number (PAN) is secured wherever it is stored.

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

7.2.1: Access to system components and data is appropriately defined and assigned.

7.2.2: Access to system components and data is appropriately defined and assigned.

7.2.5: Access to system components and data is appropriately defined and assigned.

7.2.6: Access to system components and data is appropriately defined and assigned.

7.3.1: Access to system components and data is managed via an access control system(s).

7.3.2: Access to system components and data is managed via an access control system(s).

7.3.3: Access to system components and data is managed via an access control system(s).

8.2.7: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session

8.2.8: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

8.3.4: Strong authentication for users and administrators is established and managed.

8.4.1: Multi-factor authentication (MFA) is implemented to secure access into the CDE.

8.4.2: Multi-factor authentication (MFA) is implemented to secure access into the CDE.

8.4.3 MFA is implemented for all remote access originating from outside the entity's network that could access or impact the CDE

8.4.3: Multi-factor authentication (MFA) is implemented to secure access into the CDE.

10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.3.1: Audit logs are protected from destruction and unauthorized modifications.

10.3.2: Audit logs are protected from destruction and unauthorized modifications.

10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify

10.3.3: Audit logs are protected from destruction and unauthorized modifications.

10.3.4: Audit logs are protected from destruction and unauthorized modifications.

10.3.4: File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts

10.5.1: Audit log history is retained and available for analysis.

10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed

11.5.2: Network intrusions and unexpected file changes are detected and responded to.

11.6.1: Unauthorized changes on payment pages are detected and responded to.

12.10.5: Suspected and confirmed security incidents that could impact the CDE are responded to immediately.

12.10.5: The security incident response plan includes monitoring and responding to alerts from security monitoring systems

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.

A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities

A3.3.1: PCI DSS is incorporated into business-as-usual (BAU) activities.

A3.4.1: Logical access to the cardholder data environment is controlled and managed.

A3.5.1: Suspicious events are identified and responded to.

Annex I (1.3)

Annex I (12)

Annex I (7.4)

3.1.a Identification and Classification of Information Assets

4.4.h Capacity and performance analysis

8.I Basic Security Aspects

8.III Maker-Checker Concept

8.IX Backup and Recovery

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

C1.1 The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality

C1.2 The entity disposes of confidential information to meet the entity's objectives related to confidentiality

CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures

CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate

PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements

PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlNIST Cybersecurity Framework v2.0PCI DSS v4.0Title 21 CFR Part 11FedRAMP Moderate Baseline Rev 4SOC 2AWS Well-Architected Framework v10NIST SP 800-171 Rev 2NIST SP 800-53 Rev 5
S3 buckets should not use ACLs for user access control
S3 buckets should have cross-region replication enabled
S3 buckets should have default encryption enabled
S3 buckets should have default encryption enabled using KMS
S3 buckets should have event notifications enabled
S3 buckets should have lifecycle policies configured
S3 buckets should have logging enabled
S3 buckets should have MFA delete enabled
S3 buckets should not be accessible to all authenticated users
S3 buckets should have object lock enabled
S3 buckets should have policies that prohibit public access
S3 buckets should restrict cross-account permissions
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 buckets should have static website hosting disabled
S3 buckets with versioning enabled should have lifecycle policies configured
S3 buckets should have versioning enabled
S3 public access should be blocked at account level
S3 public access should be blocked at bucket level

Showing top 8 frameworks by coverage. All framework endpoints →