{"id":20657771,"url":"https://github.com/boltops-tools/s3-secure","last_synced_at":"2025-04-19T13:18:13.738Z","repository":{"id":45228602,"uuid":"223523364","full_name":"boltops-tools/s3-secure","owner":"boltops-tools","description":"S3 Bucket security hardening tool","archived":false,"fork":false,"pushed_at":"2023-07-11T05:47:05.000Z","size":88,"stargazers_count":2,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-05-01T11:29:04.228Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/boltops-tools.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-23T03:12:36.000Z","updated_at":"2023-07-11T15:47:25.000Z","dependencies_parsed_at":"2022-09-21T11:11:59.001Z","dependency_job_id":null,"html_url":"https://github.com/boltops-tools/s3-secure","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fs3-secure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fs3-secure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fs3-secure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fs3-secure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/boltops-tools","download_url":"https://codeload.github.com/boltops-tools/s3-secure/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224954293,"owners_count":17397843,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-16T18:23:04.140Z","updated_at":"2024-11-16T18:23:04.709Z","avatar_url":"https://github.com/boltops-tools.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# s3-secure tool\n\n[![Gem Version](https://badge.fury.io/rb/s3-secure.png)](http://badge.fury.io/rb/s3-secure)\n\n[![BoltOps Badge](https://img.boltops.com/boltops/badges/boltops-badge.png)](https://www.boltops.com)\n\nThe s3-secure tool can be used to harden your s3 bucket security posture. The tool is useful if you have a lot of buckets to update. It supports:\n\n* access logs: enabling access logs\n* encryption: enabling encryption\n* ssl bucket policy: adding an enforce ssl bucket policy\n* versioning: enabling bucket versioning\n\n## BoltOps Pro Related Blueprints\n\n* [S3 Secure](https://github.com/boltopspro-docs/s3-secure): Continuously Auto-Remediates New Buckets.\n* [Security Controls](https://github.com/boltopspro-docs/security-controls): Continuously applies the s3-secure remedations as well as other remeidations. IE: Security Groups, SNS topics, etc.\n\n## Usage\n\nSummary of encryption commands:\n\n    s3-secure encryption list\n    s3-secure encryption show BUCKET\n    s3-secure encryption enable BUCKET\n    s3-secure encryption disable BUCKET\n\nSummary of lifecycle commands:\n\n    s3-secure lifecycle list\n    s3-secure lifecycle show BUCKET\n    s3-secure lifecycle add BUCKET\n    s3-secure lifecycle remove BUCKET\n\nSummary of policy commands:\n\n    s3-secure policy list\n    s3-secure policy show BUCKET\n    s3-secure policy enforce_ssl BUCKET\n    s3-secure policy unforce_ssl BUCKET\n\nSummary of versioning commands:\n\n    s3-secure versioning list\n    s3-secure versioning show BUCKET\n    s3-secure versioning enable BUCKET\n    s3-secure versioning disable BUCKET\n\n## Remediate All\n\nTo apply all the remeidations:\n\n    s3-secure remediate_all BUCKET\n\nFor finer-control, run each subcommand instead.\n\n## Some Examples with Output\n\nExample of `s3-secure encryption enable`:\n\n    $ s3-secure encryption enable a-test-bucket-in-us-west-1\n    Encyption enabled on bucket a-test-bucket-in-us-west-1 with rules:\n    {:apply_server_side_encryption_by_default=\u003e{:sse_algorithm=\u003e\"AES256\"}}\n    $\n\nExample of `s3-secure policy enforce_ssl`:\n\n    $ s3-secure policy enforce_ssl a-test-bucket-in-us-west-1\n    Add bucket policy to bucket a-test-bucket-in-us-west-1:\n    {\n      \"Version\": \"2012-10-17\",\n      \"Statement\": [\n        {\n          \"Sid\": \"ForceSSLOnlyAccess\",\n          \"Effect\": \"Deny\",\n          \"Principal\": \"*\",\n          \"Action\": \"s3:GetObject\",\n          \"Resource\": \"arn:aws:s3:::a-test-bucket-in-us-west-1/*\",\n          \"Condition\": {\n            \"Bool\": {\n              \"aws:SecureTransport\": \"false\"\n            }\n          }\n        }\n      ]\n    }\n    $\n\nWhen removing ssl enforcement from the bucket policy, if there are other policy statements, those are left in tact.  Example:\n\n    $ s3-secure policy show a-test-bucket-in-us-east-1\n    Bucket a-test-bucket-in-us-east-1 is configured with this policy:\n    {\n      \"Version\": \"2012-10-17\",\n      \"Statement\": [\n        {\n          \"Sid\": \"IPAllow\",\n          \"Effect\": \"Deny\",\n          \"Principal\": \"*\",\n          \"Action\": \"s3:*\",\n          \"Resource\": \"arn:aws:s3:::a-test-bucket-in-us-east-1/*\",\n          \"Condition\": {\n            \"NotIpAddress\": {\n              \"aws:SourceIp\": \"54.240.143.0/24\"\n            }\n          }\n        },\n        {\n          \"Sid\": \"ForceSSLOnlyAccess\",\n          \"Effect\": \"Deny\",\n          \"Principal\": \"*\",\n          \"Action\": \"s3:GetObject\",\n          \"Resource\": \"arn:aws:s3:::a-test-bucket-in-us-east-1/*\",\n          \"Condition\": {\n            \"Bool\": {\n              \"aws:SecureTransport\": \"false\"\n            }\n          }\n        }\n      ]\n    }\n    $ s3-secure policy unforce_ssl a-test-bucket-in-us-east-1\n    Remove bucket policy statement from bucket a-test-bucket-in-us-east-1:\n    {\n      \"Version\": \"2012-10-17\",\n      \"Statement\": [\n        {\n          \"Sid\": \"IPAllow\",\n          \"Effect\": \"Deny\",\n          \"Principal\": \"*\",\n          \"Action\": \"s3:*\",\n          \"Resource\": \"arn:aws:s3:::a-test-bucket-in-us-east-1/*\",\n          \"Condition\": {\n            \"NotIpAddress\": {\n              \"aws:SourceIp\": \"54.240.143.0/24\"\n            }\n          }\n        }\n      ]\n    }\n    $\n\nFor more help:\n\n    s3-secure -h\n    s3-secure encryption -h\n    s3-secure encryption enable -h\n    s3-secure lifecycle -h\n    s3-secure lifecycle add -h\n    s3-secure policy -h\n    s3-secure policy unforce_ssl -h\n    s3-secure versioning -h\n    s3-secure versioning enable -h\n\n## Batch Commands\n\nThere are some supported batch commands:\n\n    s3-secure batch encryption enable FILE.txt\n    s3-secure batch encryption disable FILE.txt\n    s3-secure batch policy enforce_ssl FILE.txt\n    s3-secure batch policy unforce_ssl FILE.txt\n\nThe format of `FILE.txt` is a list of bucket names separated by newlines.  Example:\n\nbuckets.txt:\n\n    my-bucket-1\n    my-bucket-2\n\n## Installation\n\nInstall with:\n\n    gem install s3-secure\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboltops-tools%2Fs3-secure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fboltops-tools%2Fs3-secure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboltops-tools%2Fs3-secure/lists"}