Add/Modify Shared Bucket Policy
How to Get There
On the Manage Shared Bucket policy screen, click Add, or click an existing shared policy to edit it.
What it Does
Use this screen to add or edit an AWS S3 Shared Bucket Policy. Security Auditor includes a *DEFAULT Shared Bucket Policy that includes standard default settings for S3 buckets. Shared Bucket Policies include many (but not all) S3 bucket settings so that the same shared policy can be used to check many S3 buckets. Where individual buckets or settings within buckets should differ from a Shared bucket policy a Private Policy would be used, overriding the Shared Bucket Policy.
Options
Name
The name of the shared bucket policy.
Description
The description of the shared bucket policy.
Properties
The following Amazon S3 Bucket properties can be configured in a Shared Bucket Policy.
Check Versioning; Enabled • Disabled • MFA Delete Enabled
Select Check Versioning to include the S3 Bucket's Versioning setting as part of the Shared Bucket Policy. If checked, the subsequent options become active.
If selected, choose Enabled to indicate that the 'Enable Versioning' setting is compliant with the policy. Uncheck Enabled to indicate the 'Suspended Versioning' setting is compliant with the policy. Select MFA Delete Enabled to indicate the MFA Delete setting must be enabled in order to be compliant with the policy (available for AWS administrators).
Check Server Access Logging; Enabled • Target Bucket • Target Prefix
Select Check Server Access Logging to include the S3 Bucket's Server Access Logging settings as part of the Shared Bucket Policy. If checked, the subsequent options become active.
Check Enabled to indicate the 'Enable Logging' setting must be chosen in order order to be compliant with the policy. Uncheck Enabled to indicate 'Disable Logging' must be selected in order to be compliant. You can also specify a Target Bucket or Target Prefix as part of your policy requirements. Both fields support wildcards (*) and variables ('{bucket-name}').
Check Static Website Hosting; Disable Website Hosting • Enabled (Use these buckets to host websites) • Redirect requests
Select Check Static Website Hosting to include the S3 Bucket's Static Website Hosting settings as part of the Shared Bucket Policy. If checked, the subsequent options become active.
Choose Disable Website Hosting to specify disabled hosting as a policy requirement.
Choose Enabled to specify the 'Use These Buckets to Host Websites' setting as a policy requirement.
Choose Redirect Requests to specify the 'Redirect Requests' setting as a policy requirement.
Check Default Encryption; None • AES-256 • AWS-KMS • KMS Key
Select Check Default Encryption to include the S3 Bucket's Default Encryption settings as part of the Shared Bucket Policy. If checked, the subsequent encryption options becomes active.
Choose None to specify no encryption as a policy requirement.
Choose AES-256 to specify AES-256 encryption as a policy requirement.
Choose AWS-KMS to specify AWS-KMS encryption as a policy requirement. If selected, the subsequent KMS Key text box becomes active, which allows you to specify a KMS Key as part of the policy.
Check Transfer Accelleration
Select Check Transfer Acceleration to include the S3 Bucket's Transfer Acceleration setting as part of the Shared Bucket Policy. If checked, the subsequent Enabled check box becomes active.
Check Enabled to specify the 'Enabled' setting as a policy requirement.
Check Events
Select Check Events to include the S3 Bucket's Events as part of the Shared Bucket Policy. If checked, the subsequent Allow Events check box becomes active.
Check Allow Events in order for events to be allowed as part of the policy. If Allow Events is unchecked, the existence of one or more events will result in a policy failure.
Requester Pays
Select Check Requester to include the S3 Bucket's Events as part of the Shared Bucket Policy. If checked, the subsequent Allow Events check box becomes active.
Permissions
Check Access Control List
Select Check Access Control List to include the S3 Access settings as part of your policy. Once selected, the subsequent access matrix settings are activated.
icons in the AWS S3 Access Control List page for a description of these settings.For each item in the matrix, you can select one of the following options.
- AnyValue: Choose AnyValue to indicate the setting is always compliant, regardless of its state.
- Yes: Choose Yes to indicate the item must be set to "Yes" in order to be compliant.
- No: Choose No to indicate the item must be set to "No" in order to be compliant.
Allow Access for Other AWS Accounts
Check this option to permit Other AWS Accounts in your policy. If this option is unchecked, Other AWS Accounts in the S3 bucket are non-compliant.
Check Bucket Policy
Select Check Bucket Policy to include Bucket Policy Statements text as part of your policy. If checked, the subsequent option becomes active.
Allow Bucket Policy Statements
Check this option to permit Bucket Policy Statements in your policy. If this option is unchecked, Bucket policy Statements in the S3 bucket are non-compliant.
Check Cross-Origin Resource Sharing (CORS) Configuration
Select Check Cross-Origin Resource Sharing (CORS) Configuration to include CORS Configuration as part of your policy. If checked, the subsequent option becomes active.
Allow CORS Configuration
Check this option to permit CORS Configuration rules in your policy. If this option is unchecked, CORS rules in the S3 bucket are non-compliant.
Management
Check Lifecycle
Select Check Lifecycle to include the AWS S3 Lifecycle setting in your policy. If checked, the subsequent option becomes active.
Allow Lifecycle Rules
Check this option to permit Lifecycle Rules in your policy. If this option is unchecked, Lifecycle Rules in the S3 bucket are non-compliant.
Check Replication
Select Check Replication to include the AWS S3 Replication settings in your policy. If checked, the subsequent option becomes active.
Allow Replication Rules
Check this option to permit Replication Rules in your policy. If this option is unchecked, Replication Rules in the S3 bucket are non-compliant.