AWS S3 Logs Bucket

An AWS S3 bucket intended for storing logs

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Deployments

28

Made by

Massdriver

Official

Yes

No

Compliance

aws-s3-logs-bucket

An AWS S3 bucket providing scalable, durable, and secure storage of logs allowing them to be stored, accessed, and analyzed in a highly available and cost-effective manner.

Use Cases

Application Logging

Low cost and durable storage of application logs for debugging and troubleshooting

Security and Compliance

Storing access logs allows security teams to monitor and detect unauthorized access attempts and security breaches, and helps to satisfy compliance requirements for data access audit trails.

Design

This bundle is designed around the specific use-case of storing application and access logs. For this reason, assumptions are made regarding the configuration of the bucket. For example, public access is disabled and object versioning is disabled.

Best Practices

High Availability

Deploys regional S3 for High availability in the event of zonal failure

Dedicated KMS Key

Uses a dedicated KMS key with narrowly scoped permission for encryption

Security

KMS Encryption

A KMS key is created and narrowly scoped to the bucket for encrypting all assets.

Private ACL

No public access is allowed to this bucket

Access Logging

Access logging can be enabled, which will create an additional S3 bucket to store access logs for compliance requirements

Policies

The following policies are created for managing access to the S3 bucket.

  • read: Grants read access to objects in the bucket
  • write: Grants access to write objects to the bucket
VariableTypeDescription
bucket.customer_managed_keybooleanEnabling this will provision a new customer managed KMS key for object encryption. Leave this setting disabled to use default encryption.
bucket.force_destroybooleanWARNING Enabling this will delete all objects in the bucket during decommission. Disabling will block bucket deletion unless the bucket is empty.
bucket.regionstringAWS Region to provision in.
lifecycle_settings.expirebooleanEnable the expiration (deletion) of objects after the specified time
lifecycle_settings.transition_rules[].daysintegerNumber of days after creation when objects are transitioned to the specified storage class.
lifecycle_settings.transition_rules[].storage_classstringS3 storage class to transition to. Refer to the AWS S3 storage class documentation for details on each storage class.
monitoring.access_loggingbooleanEnabling this will create an additional bucket for storing access logs