Class WaBucket

Well Architected S3 Bucket that uses S3_MANAGED encryption, enforces ssl, denies public access is versioned.

Default Configuration

Encryption: S3 Managed Versioned: True Removal Policy: Retain in Production

Default Alarms

None

Note that the default alarm uses the WaAlarm construct, which sets up an alarm action to notify the SNS Topic AlarmEventsTopic by default.

Examples

Default Usage

new WaBucket(this, "LogicalId", {});

Custom Configuration

new WaBucket(this, "LogicalId", {
   enforceSSL: false
});

Compliance

It addresses the following compliance requirements

1. Blocks public access

   • Risk Level: Medium
   • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

2. S3 Bucket Logging Enabled

   • Risk Level: Medium
   • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

3. Bucket versioning enabled in Production Environment

   • Risk Level: Low
   • Compliance: PCI, APRA, MAS, NIST4
   • Well Architected Pillar: Reliability

4. Block S3 Bucket Public 'READ' Access

   • Risk Level: Very High
   • Compliance: PCI, GDPR, ARPA, MAS, NIST4
   • Well Architected Pillar: Security

5. S3 Bucket should have Retain Policy in Production Environment

   • Risk Level: High
   • Compliance: NA
   • Well Architected Pillar: Reliability

6. Only allow secure transport protocols

   • Risk Level: High
   • Compliance: PCI, APRA, MAS, NIST4
   • Well Architected Pillar: Security

7. Server side encryption

   • Risk Level: High
   • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

8. S3 Bucket Block ACLs

   • Risk Level: Very High
   • Compliance: PCI, APRA, MAS, NIST4
   • Well Architected Pillar: Security