aws_accessanalyzer_analyzeraws_accessanalyzer_findingaws_accountaws_account_alternate_contactaws_account_contactaws_acm_certificateaws_acmpca_certificate_authorityaws_amplify_appaws_api_gateway_api_keyaws_api_gateway_authorizeraws_api_gateway_domain_nameaws_api_gateway_methodaws_api_gateway_rest_apiaws_api_gateway_stageaws_api_gateway_usage_planaws_api_gatewayv2_apiaws_api_gatewayv2_domain_nameaws_api_gatewayv2_integrationaws_api_gatewayv2_routeaws_api_gatewayv2_stageaws_app_runner_serviceaws_appautoscaling_policyaws_appautoscaling_targetaws_appconfig_applicationaws_appstream_fleetaws_appstream_imageaws_appsync_graphql_apiaws_athena_query_executionaws_athena_workgroupaws_auditmanager_assessmentaws_auditmanager_controlaws_auditmanager_evidenceaws_auditmanager_evidence_folderaws_auditmanager_frameworkaws_availability_zoneaws_backup_frameworkaws_backup_jobaws_backup_legal_holdaws_backup_planaws_backup_protected_resourceaws_backup_recovery_pointaws_backup_report_planaws_backup_selectionaws_backup_vaultaws_cloudcontrol_resourceaws_cloudformation_stackaws_cloudformation_stack_resourceaws_cloudformation_stack_setaws_cloudfront_cache_policyaws_cloudfront_distributionaws_cloudfront_functionaws_cloudfront_origin_access_identityaws_cloudfront_origin_request_policyaws_cloudfront_response_headers_policyaws_cloudsearch_domainaws_cloudtrail_channelaws_cloudtrail_event_data_storeaws_cloudtrail_importaws_cloudtrail_lookup_eventaws_cloudtrail_queryaws_cloudtrail_trailaws_cloudtrail_trail_eventaws_cloudwatch_alarmaws_cloudwatch_log_eventaws_cloudwatch_log_groupaws_cloudwatch_log_metric_filteraws_cloudwatch_log_resource_policyaws_cloudwatch_log_streamaws_cloudwatch_log_subscription_filteraws_cloudwatch_metricaws_cloudwatch_metric_data_pointaws_cloudwatch_metric_statistic_data_pointaws_codeartifact_domainaws_codeartifact_repositoryaws_codebuild_buildaws_codebuild_projectaws_codebuild_source_credentialaws_codecommit_repositoryaws_codedeploy_appaws_codedeploy_deployment_configaws_codedeploy_deployment_groupaws_codepipeline_pipelineaws_codestar_notification_ruleaws_cognito_identity_poolaws_cognito_identity_provideraws_cognito_user_poolaws_config_aggregate_authorizationaws_config_configuration_recorderaws_config_conformance_packaws_config_retention_configurationaws_config_ruleaws_cost_by_account_dailyaws_cost_by_account_monthlyaws_cost_by_record_type_dailyaws_cost_by_record_type_monthlyaws_cost_by_service_dailyaws_cost_by_service_monthlyaws_cost_by_service_usage_type_dailyaws_cost_by_service_usage_type_monthlyaws_cost_by_tagaws_cost_forecast_dailyaws_cost_forecast_monthlyaws_cost_usageaws_dax_clusteraws_dax_parameteraws_dax_parameter_groupaws_dax_subnet_groupaws_directory_service_certificateaws_directory_service_directoryaws_directory_service_log_subscriptionaws_directory_servicelog_subscriptionaws_dlm_lifecycle_policyaws_dms_certificateaws_dms_endpointaws_dms_replication_instanceaws_dms_replication_taskaws_docdb_clusteraws_docdb_cluster_instanceaws_docdb_cluster_snapshotaws_drs_jobaws_drs_recovery_instanceaws_drs_recovery_snapshotaws_drs_source_serveraws_dynamodb_backupaws_dynamodb_global_tableaws_dynamodb_metric_account_provisioned_read_capacity_utilaws_dynamodb_metric_account_provisioned_write_capacity_utilaws_dynamodb_tableaws_dynamodb_table_exportaws_ebs_snapshotaws_ebs_volumeaws_ebs_volume_metric_read_opsaws_ebs_volume_metric_read_ops_dailyaws_ebs_volume_metric_read_ops_hourlyaws_ebs_volume_metric_write_opsaws_ebs_volume_metric_write_ops_dailyaws_ebs_volume_metric_write_ops_hourlyaws_ec2_amiaws_ec2_ami_sharedaws_ec2_application_load_balanceraws_ec2_application_load_balancer_metric_request_countaws_ec2_application_load_balancer_metric_request_count_dailyaws_ec2_autoscaling_groupaws_ec2_capacity_reservationaws_ec2_classic_load_balanceraws_ec2_client_vpn_endpointaws_ec2_gateway_load_balanceraws_ec2_instanceaws_ec2_instance_availabilityaws_ec2_instance_metric_cpu_utilizationaws_ec2_instance_metric_cpu_utilization_dailyaws_ec2_instance_metric_cpu_utilization_hourlyaws_ec2_instance_typeaws_ec2_key_pairaws_ec2_launch_configurationaws_ec2_launch_templateaws_ec2_launch_template_versionaws_ec2_load_balancer_listeneraws_ec2_load_balancer_listener_ruleaws_ec2_managed_prefix_listaws_ec2_managed_prefix_list_entryaws_ec2_network_interfaceaws_ec2_network_load_balanceraws_ec2_network_load_balancer_metric_net_flow_countaws_ec2_network_load_balancer_metric_net_flow_count_dailyaws_ec2_regional_settingsaws_ec2_reserved_instanceaws_ec2_spot_priceaws_ec2_ssl_policyaws_ec2_target_groupaws_ec2_transit_gatewayaws_ec2_transit_gateway_routeaws_ec2_transit_gateway_route_tableaws_ec2_transit_gateway_vpc_attachmentaws_ecr_imageaws_ecr_image_scan_findingaws_ecr_registry_scanning_configurationaws_ecr_repositoryaws_ecrpublic_repositoryaws_ecs_clusteraws_ecs_cluster_metric_cpu_utilizationaws_ecs_cluster_metric_cpu_utilization_dailyaws_ecs_cluster_metric_cpu_utilization_hourlyaws_ecs_container_instanceaws_ecs_serviceaws_ecs_taskaws_ecs_task_definitionaws_efs_access_pointaws_efs_file_systemaws_efs_mount_targetaws_eks_addonaws_eks_addon_versionaws_eks_clusteraws_eks_fargate_profileaws_eks_identity_provider_configaws_eks_node_groupaws_elastic_beanstalk_applicationaws_elastic_beanstalk_application_versionaws_elastic_beanstalk_environmentaws_elasticache_clusteraws_elasticache_parameter_groupaws_elasticache_redis_metric_cache_hits_hourlyaws_elasticache_redis_metric_curr_connections_hourlyaws_elasticache_redis_metric_engine_cpu_utilization_dailyaws_elasticache_redis_metric_engine_cpu_utilization_hourlyaws_elasticache_redis_metric_get_type_cmds_hourlyaws_elasticache_redis_metric_list_based_cmds_hourlyaws_elasticache_redis_metric_new_connections_hourlyaws_elasticache_replication_groupaws_elasticache_reserved_cache_nodeaws_elasticache_subnet_groupaws_elasticsearch_domainaws_emr_block_public_access_configurationaws_emr_clusteraws_emr_cluster_metric_is_idleaws_emr_instanceaws_emr_instance_fleetaws_emr_instance_groupaws_emr_security_configurationaws_eventbridge_busaws_eventbridge_ruleaws_fms_app_listaws_fms_policyaws_fsx_file_systemaws_glacier_vaultaws_globalaccelerator_acceleratoraws_globalaccelerator_endpoint_groupaws_globalaccelerator_listeneraws_glue_catalog_databaseaws_glue_catalog_tableaws_glue_connectionaws_glue_crawleraws_glue_data_catalog_encryption_settingsaws_glue_data_quality_rulesetaws_glue_dev_endpointaws_glue_jobaws_glue_security_configurationaws_guardduty_detectoraws_guardduty_filteraws_guardduty_findingaws_guardduty_ipsetaws_guardduty_memberaws_guardduty_publishing_destinationaws_guardduty_threat_intel_setaws_health_affected_entityaws_health_eventaws_iam_access_advisoraws_iam_access_keyaws_iam_account_password_policyaws_iam_account_summaryaws_iam_actionaws_iam_credential_reportaws_iam_groupaws_iam_open_id_connect_provideraws_iam_policyaws_iam_policy_attachmentaws_iam_policy_simulatoraws_iam_roleaws_iam_saml_provideraws_iam_server_certificateaws_iam_service_specific_credentialaws_iam_useraws_iam_virtual_mfa_deviceaws_identitystore_groupaws_identitystore_group_membershipaws_identitystore_useraws_inspector2_coverageaws_inspector2_coverage_statisticsaws_inspector2_findingaws_inspector2_memberaws_inspector_assessment_runaws_inspector_assessment_targetaws_inspector_assessment_templateaws_inspector_exclusionaws_inspector_findingaws_iot_fleet_metricaws_iot_thingaws_iot_thing_groupaws_iot_thing_typeaws_kinesis_consumeraws_kinesis_firehose_delivery_streamaws_kinesis_streamaws_kinesis_video_streamaws_kinesisanalyticsv2_applicationaws_kms_aliasaws_kms_keyaws_kms_key_rotationaws_lambda_aliasaws_lambda_event_source_mappingaws_lambda_functionaws_lambda_function_metric_duration_dailyaws_lambda_function_metric_errors_dailyaws_lambda_function_metric_invocations_dailyaws_lambda_layeraws_lambda_layer_versionaws_lambda_versionaws_lightsail_bucketaws_lightsail_instanceaws_macie2_classification_jobaws_media_store_containeraws_memorydb_clusteraws_mgn_applicationaws_mq_brokeraws_msk_clusteraws_msk_serverless_clusteraws_neptune_db_clusteraws_neptune_db_cluster_snapshotaws_networkfirewall_firewallaws_networkfirewall_firewall_policyaws_networkfirewall_rule_groupaws_oam_linkaws_oam_sinkaws_opensearch_domainaws_organizations_accountaws_organizations_organizational_unitaws_organizations_policyaws_organizations_policy_targetaws_organizations_rootaws_pinpoint_appaws_pipes_pipeaws_pricing_productaws_pricing_service_attributeaws_ram_principal_associationaws_ram_resource_associationaws_rds_db_clusteraws_rds_db_cluster_parameter_groupaws_rds_db_cluster_snapshotaws_rds_db_engine_versionaws_rds_db_event_subscriptionaws_rds_db_instanceaws_rds_db_instance_automated_backupaws_rds_db_instance_metric_connectionsaws_rds_db_instance_metric_connections_dailyaws_rds_db_instance_metric_connections_hourlyaws_rds_db_instance_metric_cpu_utilizationaws_rds_db_instance_metric_cpu_utilization_dailyaws_rds_db_instance_metric_cpu_utilization_hourlyaws_rds_db_instance_metric_read_iopsaws_rds_db_instance_metric_read_iops_dailyaws_rds_db_instance_metric_read_iops_hourlyaws_rds_db_instance_metric_write_iopsaws_rds_db_instance_metric_write_iops_dailyaws_rds_db_instance_metric_write_iops_hourlyaws_rds_db_option_groupaws_rds_db_parameter_groupaws_rds_db_proxyaws_rds_db_recommendationaws_rds_db_snapshotaws_rds_db_subnet_groupaws_rds_reserved_db_instanceaws_redshift_clusteraws_redshift_cluster_metric_cpu_utilization_dailyaws_redshift_event_subscriptionaws_redshift_parameter_groupaws_redshift_snapshotaws_redshift_subnet_groupaws_redshiftserverless_namespaceaws_redshiftserverless_workgroupaws_regionaws_resource_explorer_indexaws_resource_explorer_searchaws_resource_explorer_supported_resource_typeaws_route53_domainaws_route53_health_checkaws_route53_query_logaws_route53_recordaws_route53_resolver_endpointaws_route53_resolver_query_log_configaws_route53_resolver_ruleaws_route53_traffic_policyaws_route53_traffic_policy_instanceaws_route53_vpc_association_authorizationaws_route53_zoneaws_s3_access_pointaws_s3_account_settingsaws_s3_bucketaws_s3_bucket_intelligent_tiering_configurationaws_s3_multi_region_access_pointaws_s3_objectaws_s3_object_versionaws_sagemaker_appaws_sagemaker_domainaws_sagemaker_endpoint_configurationaws_sagemaker_modelaws_sagemaker_notebook_instanceaws_sagemaker_training_jobaws_secretsmanager_secretaws_securityhub_action_targetaws_securityhub_enabled_product_subscriptionaws_securityhub_findingaws_securityhub_finding_aggregatoraws_securityhub_hubaws_securityhub_insightaws_securityhub_memberaws_securityhub_productaws_securityhub_standards_controlaws_securityhub_standards_subscriptionaws_securitylake_data_lakeaws_securitylake_subscriberaws_serverlessapplicationrepository_applicationaws_service_discovery_instanceaws_service_discovery_namespaceaws_service_discovery_serviceaws_servicecatalog_portfolioaws_servicecatalog_productaws_servicecatalog_provisioned_productaws_servicequotas_default_service_quotaaws_servicequotas_serviceaws_servicequotas_service_quotaaws_servicequotas_service_quota_change_requestaws_ses_domain_identityaws_ses_email_identityaws_sfn_state_machineaws_sfn_state_machine_executionaws_sfn_state_machine_execution_historyaws_simspaceweaver_simulationaws_sns_subscriptionaws_sns_topicaws_sns_topic_subscriptionaws_sqs_queueaws_ssm_associationaws_ssm_documentaws_ssm_document_permissionaws_ssm_inventoryaws_ssm_inventory_entryaws_ssm_maintenance_windowaws_ssm_managed_instanceaws_ssm_managed_instance_complianceaws_ssm_managed_instance_patch_stateaws_ssm_parameteraws_ssm_patch_baselineaws_ssmincidents_response_planaws_ssoadmin_account_assignmentaws_ssoadmin_instanceaws_ssoadmin_managed_policy_attachmentaws_ssoadmin_permission_setaws_sts_caller_identityaws_tagging_resourceaws_timestreamwrite_databaseaws_timestreamwrite_tableaws_transfer_serveraws_transfer_useraws_trusted_advisor_check_summaryaws_vpcaws_vpc_customer_gatewayaws_vpc_dhcp_optionsaws_vpc_egress_only_internet_gatewayaws_vpc_eipaws_vpc_eip_address_transferaws_vpc_endpointaws_vpc_endpoint_serviceaws_vpc_flow_logaws_vpc_flow_log_eventaws_vpc_internet_gatewayaws_vpc_nat_gatewayaws_vpc_nat_gateway_metric_bytes_out_to_destinationaws_vpc_network_aclaws_vpc_peering_connectionaws_vpc_routeaws_vpc_route_tableaws_vpc_security_groupaws_vpc_security_group_ruleaws_vpc_subnetaws_vpc_verified_access_endpointaws_vpc_verified_access_groupaws_vpc_verified_access_instanceaws_vpc_verified_access_trust_provideraws_vpc_vpn_connectionaws_vpc_vpn_gatewayaws_waf_rate_based_ruleaws_waf_ruleaws_waf_rule_groupaws_waf_web_aclaws_wafregional_ruleaws_wafregional_rule_groupaws_wafregional_web_aclaws_wafv2_ip_setaws_wafv2_regex_pattern_setaws_wafv2_rule_groupaws_wafv2_web_aclaws_wellarchitected_answeraws_wellarchitected_check_detailaws_wellarchitected_check_summaryaws_wellarchitected_consolidated_reportaws_wellarchitected_lensaws_wellarchitected_lens_reviewaws_wellarchitected_lens_review_improvementaws_wellarchitected_lens_review_reportaws_wellarchitected_lens_shareaws_wellarchitected_milestoneaws_wellarchitected_notificationaws_wellarchitected_share_invitationaws_wellarchitected_workloadaws_wellarchitected_workload_shareaws_workspaces_directoryaws_workspaces_workspace
Table: aws_s3_bucket - Query AWS S3 Buckets using SQL
An AWS S3 Bucket is a public cloud storage resource available in Amazon Web Services' (AWS) Simple Storage Service (S3). It is used to store objects, which consist of data and its descriptive metadata. S3 makes it possible to store and retrieve varying amounts of data, at any time, from anywhere on the web.
Table Usage Guide
The aws_s3_bucket table in Steampipe provides you with information about S3 buckets within Amazon Simple Storage Service (S3). This table allows you, as a DevOps engineer, to query bucket-specific details, including configuration, policies, and permissions. You can utilize this table to gather insights on buckets, such as bucket policies, access controls, versioning status, and more. The schema outlines for you the various attributes of the S3 bucket, including the bucket name, creation date, region, and associated tags.
Examples
Basic info
Explore which AWS S3 buckets are set as public in different regions to enhance your data security by identifying potential vulnerabilities. This allows you to manage your AWS resources more effectively by pinpointing specific locations where public access may be a concern.
select name, region, account_id, bucket_policy_is_publicfrom aws_s3_bucket;select name, region, account_id, bucket_policy_is_publicfrom aws_s3_bucket;List buckets with versioning disabled
Discover the segments that have versioning disabled in your Amazon S3 buckets. This could be useful in identifying potential risks or compliance issues related to data version control.
select name, region, account_id, versioning_enabledfrom aws_s3_bucketwhere not versioning_enabled;select name, region, account_id, versioning_enabledfrom aws_s3_bucketwhere versioning_enabled is not 1;List buckets with default encryption disabled
Uncover the details of S3 buckets that lack default encryption, a potential security risk, to enhance data protection measures in your AWS environment.
select name, server_side_encryption_configurationfrom aws_s3_bucketwhere server_side_encryption_configuration is null;select name, server_side_encryption_configurationfrom aws_s3_bucketwhere server_side_encryption_configuration is null;List buckets that do not block public access
Identify instances where AWS S3 buckets may be vulnerable due to not blocking public access. This query is useful for assessing potential security risks associated with unrestricted public access to your data.
select name, block_public_acls, block_public_policy, ignore_public_acls, restrict_public_bucketsfrom aws_s3_bucketwhere not block_public_acls or not block_public_policy or not ignore_public_acls or not restrict_public_buckets;select name, block_public_acls, block_public_policy, ignore_public_acls, restrict_public_bucketsfrom aws_s3_bucketwhere block_public_acls = 0 or block_public_policy = 0 or ignore_public_acls = 0 or restrict_public_buckets = 0;List buckets that block public access through bucket policies
Identify instances where certain storage buckets have implemented measures to block public access, enhancing data security and privacy. This could be useful in ensuring compliance with privacy regulations and preventing unauthorized data access.
select name, bucket_policy_is_publicfrom aws_s3_bucketwhere bucket_policy_is_public;select name, bucket_policy_is_publicfrom aws_s3_bucketwhere bucket_policy_is_public = 1;List buckets where the server access logging destination is the same as the source bucket
Identify instances where the destination for server access logging is the same as the source bucket in AWS S3. This can help in understanding potential security risks or misconfigurations in your logging setup.
select name, logging ->> 'TargetBucket' as target_bucketfrom aws_s3_bucketwhere logging ->> 'TargetBucket' = name;select name, json_extract(logging, '$.TargetBucket') as target_bucketfrom aws_s3_bucketwhere json_extract(logging, '$.TargetBucket') = name;List buckets without the 'application' tags key
Discover the buckets that have not been tagged specifically for application purposes. This is particularly useful for managing and organizing your buckets based on their intended application usage.
select name, tags ->> 'fizz' as fizzfrom aws_s3_bucketwhere tags ->> 'application' is null;select name, json_extract(tags, '$.fizz') as fizzfrom aws_s3_bucketwhere json_extract(tags, '$.application') is null;List buckets that enforce encryption in transit
Determine the areas in which AWS S3 buckets have encryption in transit enforced. This query is useful in identifying potential security vulnerabilities, as buckets without this feature may be at risk of data interception during transfer.
select name, p as principal, a as action, s ->> 'Effect' as effect, s ->> 'Condition' as conditions, sslfrom aws_s3_bucket, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as a, jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') as sslwhere p = '*' and s ->> 'Effect' = 'Deny' and ssl :: bool = false;select name, json_extract(p.value, '$') as principal, json_extract(a.value, '$') as action, json_extract(s.value, '$.Effect') as effect, json_extract(s.value, '$.Condition') as conditions, json_extract(ssl.value, '$') as sslfrom aws_s3_bucket, json_each(json_extract(policy_std, '$.Statement')) as s, json_each(json_extract(s.value, '$.Principal.AWS')) as p, json_each(json_extract(s.value, '$.Action')) as a, json_each( json_extract(s.value, '$.Condition.Bool."aws:securetransport"') ) as sslwhere json_extract(p.value, '$') = '*' and json_extract(s.value, '$.Effect') = 'Deny' and json_extract(ssl.value, '$') = 'false';List buckets that do not enforce encryption in transit
Determine the areas in your AWS S3 service where encryption in transit is not enforced. This is useful for identifying potential security risks and ensuring that your data is always protected during transmission.
select namefrom aws_s3_bucketwhere name not in ( select name from aws_s3_bucket, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as a, jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') as ssl where p = '*' and s ->> 'Effect' = 'Deny' and ssl :: bool = false );select namefrom aws_s3_bucketwhere name not in ( select aws_s3_bucket.name from aws_s3_bucket, json_each(json_extract(policy_std, '$.Statement')) as s, json_each(json_extract(s.value, '$.Principal.AWS')) as p, json_each(json_extract(s.value, '$.Action')) as a, json_each( json_extract(s.value, '$.Condition.Bool."aws:securetransport"') ) as ssl where json_extract(p.value, '$') = '*' and json_extract(s.value, '$.Effect') = 'Deny' and json_extract(ssl.value, '$') = 'false' );List bucket policy statements that grant external access for each bucket
Determine the areas in which your S3 bucket policies may be granting external access. This is useful for identifying potential security risks and ensuring only authorized access to your buckets.
select title, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom aws_s3_bucket, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, string_to_array(p, ':') as pa, jsonb_array_elements_text(s -> 'Action') as awhere s ->> 'Effect' = 'Allow' and ( pa [ 5 ] != account_id or p = '*' );Error: SQLite does not support string_to_array functions.List buckets with object lock enabled
Determine the areas in which AWS S3 buckets have the object lock feature enabled. This is useful for understanding where additional data protection measures are in place.
select name, object_lock_configuration ->> 'ObjectLockEnabled' as object_lock_enabledfrom aws_s3_bucketwhere object_lock_configuration ->> 'ObjectLockEnabled' = 'Enabled';select name, json_extract(object_lock_configuration, '$.ObjectLockEnabled') as object_lock_enabledfrom aws_s3_bucketwhere json_extract(object_lock_configuration, '$.ObjectLockEnabled') = 'Enabled';List buckets with website hosting enabled
Discover the segments that have website hosting enabled within your AWS S3 buckets. This can be useful in identifying where your web content is stored or determining which buckets are serving as websites.
select name, website_configuration -> 'IndexDocument' ->> 'Suffix' as suffixfrom aws_s3_bucketwhere website_configuration -> 'IndexDocument' ->> 'Suffix' is not null;select name, json_extract(website_configuration, '$.IndexDocument.Suffix') as suffixfrom aws_s3_bucketwhere json_extract(website_configuration, '$.IndexDocument.Suffix') is not null;List object ownership control rules of buckets
Explore which AWS S3 buckets have specific object ownership control rules. This can be useful in managing access permissions and ensuring appropriate data governance.
select b.name, r ->> 'ObjectOwnership' as object_ownershipfrom aws_s3_bucket as b, jsonb_array_elements(object_ownership_controls -> 'Rules') as r;select b.name, json_extract(r.value, '$.ObjectOwnership') as object_ownershipfrom aws_s3_bucket as b, json_each(b.object_ownership_controls, '$.Rules') as r;Query examples
- bucket_policy_stds_for_s3_bucket
- cloudtrail_trail_bucket
- cloudtrail_trails_for_s3_bucket
- ec2_application_load_balancers_for_s3_bucket
- ec2_classic_load_balancers_for_s3_bucket
- ec2_network_load_balancers_for_s3_bucket
- kms_keys_for_s3_bucket
- lambda_functions_for_s3_bucket
- logging_destination_s3_buckets_for_s3_bucket
- logging_source_s3_buckets_for_s3_bucket
- s3_bucket_1_year_count
- s3_bucket_24_hours_count
- s3_bucket_30_90_days_count
- s3_bucket_30_days_count
- s3_bucket_90_365_days_count
- s3_bucket_age_table
- s3_bucket_block_public_acls_disabled_count
- s3_bucket_block_public_policy_disabled_count
- s3_bucket_by_account
- s3_bucket_by_creation_month
- s3_bucket_by_region
- s3_bucket_count
- s3_bucket_encryption
- s3_bucket_https_enforce
- s3_bucket_ignore_public_acls_disabled_count
- s3_bucket_input
- s3_bucket_lifecycle_policy
- s3_bucket_lifecycle_table
- s3_bucket_logging
- s3_bucket_logging_disabled_count
- s3_bucket_logging_table
- s3_bucket_overview
- s3_bucket_public
- s3_bucket_public_access
- s3_bucket_public_access_table
- s3_bucket_public_block_count
- s3_bucket_public_policy_count
- s3_bucket_restrict_public_buckets_disabled_count
- s3_bucket_server_side_encryption
- s3_bucket_tags_detail
- s3_bucket_unencrypted_count
- s3_bucket_versioning
- s3_bucket_versioning_disabled_count
- s3_bucket_versioning_mfa_disabled_count
- s3_buckets_for_cloudfront_distribution
- s3_buckets_for_cloudtrail_trail
- s3_buckets_for_codebuild_project
- s3_buckets_for_codepipeline_pipeline
- s3_buckets_for_dynamodb_table
- s3_buckets_for_ec2_application_load_balancer
- s3_buckets_for_ec2_classic_load_balancer
- s3_buckets_for_ec2_gateway_load_balancer
- s3_buckets_for_ec2_network_load_balancer
- s3_buckets_for_emr_cluster
- s3_buckets_for_kms_key
- s3_buckets_for_lambda_function
- s3_buckets_for_sns_topic
- s3_buckets_for_sqs_queue
- s3_buckets_for_vpc_flow_log
- sns_topics_for_s3_bucket
- sqs_queues_for_s3_bucket
Control examples
- All Controls > CloudFront > CloudFront distributions should not point to non-existent S3 origins
- All Controls > CloudTrail > CloudTrail trail S3 buckets MFA delete should be enabled
- All Controls > CloudTrail > Ensure that Object-level logging for read events is enabled for S3 bucket
- All Controls > CloudTrail > Ensure that Object-level logging for write events is enabled for S3 bucket
- All Controls > S3 > Ensure all data in AWS S3 has been discovered, classified and secured when required
- All Controls > S3 > S3 bucket ACLs should not be accessible to all authenticated user
- All Controls > S3 > S3 buckets object logging should be enabled
- All Controls > S3 > S3 buckets static website hosting should be disabled
- All S3 buckets should log S3 data events in CloudTrail
- AWS Foundational Security Best Practices > CloudFront > 12 CloudFront distributions should not point to non-existent S3 origins
- AWS Foundational Security Best Practices > S3 > 10 S3 buckets with versioning enabled should have lifecycle policies configured
- AWS Foundational Security Best Practices > S3 > 11 S3 buckets should have event notifications enabled
- AWS Foundational Security Best Practices > S3 > 12 S3 access control lists (ACLs) should not be used to manage user access to buckets
- AWS Foundational Security Best Practices > S3 > 13 S3 buckets should have lifecycle policies configured
- AWS Foundational Security Best Practices > S3 > 2 S3 buckets should prohibit public read access
- AWS Foundational Security Best Practices > S3 > 3 S3 buckets should prohibit public write access
- AWS Foundational Security Best Practices > S3 > 5 S3 buckets should require requests to use Secure Socket Layer
- AWS Foundational Security Best Practices > S3 > 6 Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted
- AWS Foundational Security Best Practices > S3 > 8 S3 Block Public Access setting should be enabled at the bucket level
- AWS Foundational Security Best Practices > S3 > 9 S3 bucket server access logging should be enabled
- AWS S3 permissions granted to other AWS accounts in bucket policies should be restricted
- CIS v1.2.0 > 2 Logging > 2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- CIS v1.2.0 > 2 Logging > 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CIS v1.3.0 > 1 Identity and Access Management > 1.20 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- CIS v1.3.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.1 Ensure all S3 buckets employ encryption-at-rest
- CIS v1.3.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.2 Ensure S3 Bucket Policy allows HTTPS requests
- CIS v1.3.0 > 3 Logging > 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
- CIS v1.3.0 > 3 Logging > 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
- CIS v1.3.0 > 3 Logging > 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- CIS v1.3.0 > 3 Logging > 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CIS v1.4.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.1 Ensure all S3 buckets employ encryption-at-rest
- CIS v1.4.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests
- CIS v1.4.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.3 Ensure MFA Delete is enabled on S3 buckets
- CIS v1.4.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required
- CIS v1.4.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- CIS v1.4.0 > 3 Logging > 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
- CIS v1.4.0 > 3 Logging > 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
- CIS v1.4.0 > 3 Logging > 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- CIS v1.4.0 > 3 Logging > 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CIS v1.5.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.1 Ensure all S3 buckets employ encryption-at-rest
- CIS v1.5.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests
- CIS v1.5.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.3 Ensure MFA Delete is enabled on S3 buckets
- CIS v1.5.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required
- CIS v1.5.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- CIS v1.5.0 > 3 Logging > 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
- CIS v1.5.0 > 3 Logging > 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
- CIS v1.5.0 > 3 Logging > 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- CIS v1.5.0 > 3 Logging > 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CIS v2.0.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests
- CIS v2.0.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.2 Ensure MFA Delete is enabled on S3 buckets
- CIS v2.0.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.3 Ensure all data in Amazon S3 has been discovered, classified and secured when required
- CIS v2.0.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- CIS v2.0.0 > 3 Logging > 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
- CIS v2.0.0 > 3 Logging > 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
- CIS v2.0.0 > 3 Logging > 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- CIS v2.0.0 > 3 Logging > 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CIS v3.0.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests
- CIS v3.0.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.2 Ensure MFA Delete is enabled on S3 buckets
- CIS v3.0.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.3 Ensure all data in Amazon S3 has been discovered, classified and secured when required
- CIS v3.0.0 > 2 Storage > 2.1 Simple Storage Service (S3) > 2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- CIS v3.0.0 > 3 Logging > 3.4 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CIS v3.0.0 > 3 Logging > 3.8 Ensure that Object-level logging for write events is enabled for S3 bucket
- CIS v3.0.0 > 3 Logging > 3.9 Ensure that Object-level logging for read events is enabled for S3 bucket
- Ensure MFA Delete is enabled on S3 buckets
- Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- Ensure the S3 bucket CloudTrail logs to is not publicly accessible
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 bucket logging should be enabled
- S3 bucket object lock should be enabled
- S3 bucket policy should prohibit public access
- S3 bucket versioning should be enabled
- S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
- S3 buckets should enforce SSL
- S3 buckets should have event notifications enabled
- S3 buckets should have lifecycle policies configured
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 buckets with versioning enabled should have lifecycle policies configured
- S3 public access should be blocked at account and bucket levels
- S3 public access should be blocked at bucket levels
Schema for aws_s3_bucket
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
| acl | jsonb | The access control list (ACL) of a bucket. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| arn | text | The ARN of the AWS S3 Bucket. | |
| block_public_acls | boolean | Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. | |
| block_public_policy | boolean | Specifies whether Amazon S3 should block public bucket policies for this bucket. If TRUE it causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. | |
| bucket_policy_is_public | boolean | The policy status for an Amazon S3 bucket, indicating whether the bucket is public. | |
| creation_date | timestamp with time zone | The date and time when bucket was created. | |
| event_notification_configuration | jsonb | A container for specifying the notification configuration of the bucket. If this element is empty, notifications are turned off for the bucket. | |
| ignore_public_acls | boolean | Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. | |
| lifecycle_rules | jsonb | The lifecycle configuration information of the bucket. | |
| logging | jsonb | The logging status of a bucket and the permissions users have to view and modify that status. | |
| name | text | The user friendly name of the bucket. | |
| object_lock_configuration | jsonb | The specified bucket's object lock configuration. | |
| object_ownership_controls | jsonb | The Ownership Controls for an Amazon S3 bucket. | |
| partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
| policy | jsonb | The resource IAM access document for the bucket. | |
| policy_std | jsonb | Contains the policy in a canonical form for easier searching. | |
| region | text | The AWS Region in which the resource is located. | |
| replication | jsonb | The replication configuration of a bucket. | |
| restrict_public_buckets | boolean | Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy. | |
| server_side_encryption_configuration | jsonb | The default encryption configuration for an Amazon S3 bucket. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tags_src | jsonb | A list of tags assigned to bucket. | |
| title | text | Title of the resource. | |
| versioning_enabled | boolean | The versioning state of a bucket. | |
| versioning_mfa_delete | boolean | The MFA Delete status of the versioning state. | |
| website_configuration | jsonb | The website configuration information of the bucket. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- awsYou can pass the configuration to the command with the --config argument:
steampipe_export_aws --config '<your_config>' aws_s3_bucket