AWS S3 bucket Terraform module
Upstream version 5.14.0
12 controls from PCI DSS v4.0 requirements
Terraform Module Source
pcidssv40.compliance.tf/terraform-aws-modules/s3-bucket/awsBehavioral Summary
This module modifies 7 variable defaults and makes 0 resource changes from the upstream module. All changes are driven by compliance controls and can be reviewed in detail below.
Your Code Impact
If you are migrating from the upstream module, the enforced default changes mean your existing configurations will automatically gain compliance controls. Variables you have explicitly set will continue to use your values. Review the diff below to understand exactly what changes.
Compared to
terraform-aws-modules/s3-bucket/aws@5.14.07 changesVariables Changed
7| Variable | Upstream | CTF | Reason | Control |
|---|---|---|---|---|
| attach_policy | false | true | This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket. | s3_bucket_policy_restricts_cross_account_permission_changes |
| lifecycle_rule | [] | [ { "status": "Enabled" } ] | This control checks if AWS Simple Storage Service (AWS S3) version enabled buckets have lifecycle policy configured. This rule fails if AWS S3 lifecycle policy is not enabled. | s3_bucket_versioning_and_lifecycle_policy_enabled |
| object_lock_enabled | false | true | Ensure that your AWS Simple Storage Service (AWS S3) bucket has lock enabled, by default. | s3_bucket_object_lock_enabled |
| policy | - | {"Version":"2012-10-17","Statement":[{"Sid":"DenyCrossAcc... | Default differs from upstream | |
| replication_configuration | {} | { "rules": [ { "status": "Enabled" } ] } | AWS Simple Storage Service (AWS S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability. | s3_bucket_cross_region_replication_enabled |
| server_side_encryption_configuration | {} | { "rule": { "apply_server_side_encryption_by_defaul... | To help protect data at rest, ensure encryption is enabled for your AWS Simple Storage Service (AWS S3) buckets. | s3_bucket_default_encryption_enabled_kms |
| versioning | {} | { "mfa_delete": "Enabled" } | Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. | s3_bucket_mfa_delete_enabled |