This Terraform module is used to instantiate an AWS S3 Bucket based on AWS Security Best Practices:
- Enforce encryption of data at rest using AWS Key Management Service (KMS)
- Enforce encryption of data in transit
- Consider using S3 Object Lock
- Implement least privilege access by blocking public access by default
- Enforce S3 Versioning
- Enable Amazon S3 server access logging
To instantiate an AWS S3 bucket based on the AWS Security Best Practices, you need to provide a unique bucket name. Bucket names must be unique across all AWS accounts in all the AWS Regions within a partition. A partition is a grouping of Regions. Since server access logging is enabled by default, you must either specify the name of an existing S3 bucket where the logs will be stored, or specify to have a new bucket created by setting create_logging_bucket to true. If the S3 bucket is intended to be used for static website hosting, the following will happen:
- Encryption of data at rest will use an Amazon S3 Managed Key (SSE-S3)
- Encryption of data in transit will not be enforced
- Public access will be enabled
- A bucket policy will be created to allow anyone to perform
GetObjecton any S3 objects
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| block_public_access | Enable or disable blocking public access to the bucket | bool |
true |
no |
| bucket_name | The name of the S3 bucket | string |
n/a | yes |
| create_kms_key | Enable or disable static website hosting | bool |
false |
no |
| enforce_encryption_in_transit | Whether to enforce encryption of data in transit | bool |
true |
no |
| logging_bucket_name | The name of the logging bucket where access logs will be stored | string |
n/a | yes |
| object_lock_enabled | Enable or disable object lock for data protection | bool |
false |
no |
| object_lock_retention | Number of days to retain objects when object lock is enabled | number |
30 |
no |
| static_website_hosting | Enable or disable static website hosting | bool |
false |
no |
| Name | Description |
|---|---|
| arn | The Amazon Resource Name (ARN) of the created S3 bucket. |
| bucket_regional_domain_name | The regional domain name of the created S3 bucket. |
| id | The name of the created S3 bucket. |
| region | The region of the created S3 bucket. |
module "secured-bucket1" {
source = "../../"
bucket_name = var.bucket_name
static_website_hosting = false
block_public_access = true
create_kms_key = false
logging_bucket_name = "cloudful-logs"
}module "static_website" {
source = "../../"
bucket_name = var.bucket_name
static_website_hosting = true
block_public_access = false
logging_bucket_name = "cloudful-logs"
}| Name | Version |
|---|---|
| aws | 4.64.0 |
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| aws | 4.64.0 |
| Name | Type |
|---|---|
| aws_kms_alias.s3_kms_alias | resource |
| aws_kms_key.s3_kms_key | resource |
| aws_s3_bucket.logging_bucket | resource |
| aws_s3_bucket.secure_bucket | resource |
| aws_s3_bucket_logging.logging | resource |
| aws_s3_bucket_object_lock_configuration.object_lock | resource |
| aws_s3_bucket_policy.allow_access_from_everyone | resource |
| aws_s3_bucket_policy.https_policy | resource |
| aws_s3_bucket_policy.logging_bucket_policy | resource |
| aws_s3_bucket_public_access_block.block_public | resource |
| aws_s3_bucket_server_side_encryption_configuration.sse_kms_encryption | resource |
| aws_s3_bucket_versioning.versioning | resource |
| aws_s3_bucket_website_configuration.s3_website_configuration | resource |
| aws_caller_identity.current | data source |