Skip to content

S3 Policies

9 policies covering S3 bucket encryption, public access, and versioning.

ID Name Severity Frameworks
S3-001 S3 Encryption Required HIGH HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2
S3-002 S3 KMS Encryption Recommended LOW HIPAA, PCI DSS, SOC 2
S3-003 S3 Block Public ACLs HIGH HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2
S3-004 S3 Block Public Policy HIGH HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2
S3-005 S3 Ignore Public ACLs HIGH HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2
S3-006 S3 Restrict Public Buckets HIGH HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2
S3-007 S3 No Public Read ACL CRITICAL HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2
S3-008 S3 No Public Read-Write ACL CRITICAL HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2
S3-009 S3 Versioning Recommended MEDIUM ISO 27001, SOC 2

S3-001

S3 Encryption Required | HIGH

Frameworks: HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2

S3 bucket must have server-side encryption enabled (planned or live).

Remediation:

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

Resource type: aws_s3_bucket

S3-002

S3 KMS Encryption Recommended | LOW

Frameworks: HIPAA, PCI DSS, SOC 2

S3 bucket uses AES256 encryption instead of KMS. KMS encryption provides additional controls such as key rotation, audit logging, and fine-grained access policies.

Remediation:

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.example.arn
    }
  }
}

Resource type: aws_s3_bucket

S3-003

S3 Block Public ACLs | HIGH

Frameworks: HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2

S3 bucket must have block_public_acls enabled to prevent new public ACLs from being applied to the bucket or its objects.

Remediation:

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Resource type: aws_s3_bucket

S3-004

S3 Block Public Policy | HIGH

Frameworks: HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2

S3 bucket must have block_public_policy enabled to prevent bucket policies that grant public access.

Remediation:

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Resource type: aws_s3_bucket

S3-005

S3 Ignore Public ACLs | HIGH

Frameworks: HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2

S3 bucket must have ignore_public_acls enabled so that any existing public ACLs on the bucket or its objects are ignored and do not grant public access.

Remediation:

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Resource type: aws_s3_bucket

S3-006

S3 Restrict Public Buckets | HIGH

Frameworks: HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2

S3 bucket must have restrict_public_buckets enabled to restrict access to buckets that have public policies, limiting access to only AWS services and authorized users within the bucket owner's account.

Remediation:

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Resource type: aws_s3_bucket

S3-007

S3 No Public Read ACL | CRITICAL

Frameworks: HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2

S3 bucket has public-read ACL which is not allowed. Public read access exposes all objects in the bucket to the internet, risking data leakage and compliance violations.

Remediation:

resource "aws_s3_bucket_acl" "example" {
  bucket = aws_s3_bucket.example.id
  acl    = "private"
}

Resource type: aws_s3_bucket

S3-008

S3 No Public Read-Write ACL | CRITICAL

Frameworks: HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2

S3 bucket has public-read-write ACL which is extremely dangerous. This grants anyone on the internet both read and write access, allowing data theft, modification, and injection of malicious content.

Remediation:

resource "aws_s3_bucket_acl" "example" {
  bucket = aws_s3_bucket.example.id
  acl    = "private"
}

Resource type: aws_s3_bucket

S3-009

S3 Versioning Recommended | MEDIUM

Frameworks: ISO 27001, SOC 2

S3 bucket does not have versioning enabled. Versioning protects against accidental deletions and overwrites by maintaining a complete history of object changes.

Remediation:

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id

  versioning_configuration {
    status = "Enabled"
  }
}

Resource type: aws_s3_bucket