Simple Storage Service (S3)

Filters

global-grants

Check bucket acls for global grants

Schema:
{
  "allow_website": {
    "type": "boolean"
  },
  "operator": {
    "enum": [
      "or",
      "and"
    ],
    "type": "string"
  },
  "permissions": {
    "items": {
      "enum": [
        "READ",
        "WRITE",
        "WRITE_ACP",
        "READ",
        "READ_ACP"
      ],
      "type": "string"
    },
    "type": "array"
  }
}
missing-policy-statement

Find buckets missing a set of named policy statements

Schema:
{
  "statement_ids": {
    "items": {
      "type": "string"
    },
    "type": "array"
  }
}

Actions

encrypt-keys

Scan all keys in a bucket and optionally encrypt them in place

Schema:
{
  "crypto": {
    "enum": [
      "AES256",
      "aws:kms"
    ]
  },
  "glacier": {
    "type": "boolean"
  },
  "key-id": {
    "type": "string"
  },
  "large": {
    "type": "boolean"
  },
  "report-only": {
    "type": "boolean"
  }
}
encryption-policy

Attach an encryption required policy to a bucket, this will break applications that are not using encryption, including AWS log delivery

Schema:
{}
delete-global-grants

Delete global grants from bucket ACLs

Schema:
{
  "grantees": {
    "items": {
      "type": "string"
    },
    "type": "array"
  }
}
no-op

No operation

Schema:
{}