# Amazon S3
AWS Systems Manager Automation provides predefined runbooks for Amazon Simple Storage Service. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [`AWS-ArchiveS3BucketToIntelligentTiering`](automation-aws-archives3buckettointelligenttiering.md)
+ [`AWS-ConfigureS3BucketLogging`](automation-aws-configures3bucketlogging.md)
+ [`AWS-ConfigureS3BucketVersioning`](automation-aws-configures3bucketversioning.md)
+ [`AWSConfigRemediation-ConfigureS3BucketPublicAccessBlock`](automation-aws-block-public-s3-bucket.md)
+ [`AWSConfigRemediation-ConfigureS3PublicAccessBlock`](automation-aws-block-public-s3.md)
+ [`AWS-CreateS3PolicyToExpireMultipartUploads`](AWS-CreateS3PolicyToExpireMultipartUploads.md)
+ [`AWS-DisableS3BucketPublicReadWrite`](automation-aws-disables3bucketpublicreadwrite.md)
+ [`AWS-EnableS3BucketEncryption`](automation-aws-enableS3bucketencryption.md)
+ [`AWS-EnableS3BucketKeys`](automation-aws-enableS3bucketkeys.md)
+ [`AWSConfigRemediation-RemovePrincipalStarFromS3BucketPolicy`](automation-aws-remove-s3-wildcard.md)
+ [`AWSConfigRemediation-RestrictBucketSSLRequestsOnly`](automation-aws-s3-deny-http.md)
+ [`AWSSupport-TroubleshootS3PublicRead`](automation-awssupport-troubleshoots3publicread.md)
+ [`AWSSupport-ConfigureS3ReplicationSameAndCrossAccount`](automation-aws-configures3replicationsameandcrossaccount.md)
+ [`AWSSupport-EmptyS3Bucket`](automation-aws-empty-s3-bucket.md)
+ [`AWSSupport-TroubleshootS3EventNotifications`](awssupport-troubleshoot-s3-event-notifications.md)
+ [`AWSSupport-ContainS3Resource`](automation-awssupport-contains3resource.md)
# `AWS-ArchiveS3BucketToIntelligentTiering`
**Description**
The `AWS-ArchiveS3BucketToIntelligentTiering` runbook creates, or replaces, an intelligent tiering configuration for the Amazon Simple Storage Service (Amazon S3) bucket you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-ArchiveS3BucketToIntelligentTiering)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ BucketName
Type: String
Description: (Required) The name of the S3 bucket you want to create an intelligent tiering configuration for.
+ ConfigurationId
Type: String
Description: (Required) The ID for the intelligent tiering configuration. This can be a new configuration ID, or the ID of an existing configuration.
+ NumberOfDaysToArchive
Type: String
Valid values: 90-730
Description: (Required) The number of consecutive days after an object in your bucket is eligible to be transitioned to the Archive Access tier.
+ NumberOfDaysToDeepArchive
Type: String
Valid values: 180-730
Description: (Required) The number of consecutive days after an object in your bucket is eligible to be transitioned to the Deep Archive Access tier.
+ S3Prefix
Type: String
Description: (Optional) The key name prefix of the objects you want to apply the configuration to.
+ Tags
Type: MapList
Description: (Optional) Metadata assigned to the objects you want to apply the configuration to. Tags consist of a user-defined key and value.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `s3:GetIntelligentTieringConfiguration`
+ `s3:PutIntelligentTieringConfiguration`
**Document Steps**
+ PutsBucketIntelligentTieringConfiguration (aws:executeScript) - Creates or updates an Amazon S3 Intelligent-Tiering configuration for the specified bucket.
+ VerifyBucketIntelligentTieringConfiguration (aws:assertAwsResourceProperty) - Verifies the S3 Bucket Intelligent Configuration was applied to the specified bucket.
# `AWS-ConfigureS3BucketLogging`
**Description**
Enable logging on an Amazon Simple Storage Service (Amazon S3) bucket.
**Important**
Note the following important information regarding the Email Grantee ACL for the Amazon S3 [PutBucketLogging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html) API, which is used by this runbook:
End of support notice: Beginning October 1, 2025, Amazon S3 will discontinue support for creating new Email Grantee Access Control Lists (ACL). Email Grantee ACLs created prior to this date will continue to work and remain accessible through the AWS Management Console, AWS CLI (CLI), SDKs, and REST API. However, you will no longer be able to create new Email Grantee ACLs. Between July 15, 2025 and October 1, 2025, you will begin to see an increasing rate of HTTP 405 errors for requests to Amazon S3 when attempting to create new Email Grantee ACLs.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-ConfigureS3BucketLogging)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ BucketName
Type: String
Description: (Required) The name of the Amazon S3 Bucket for which you want to configure logging.
+ GrantedPermission
Type: String
Valid values: FULL\$1CONTROL \$1 READ \$1 WRITE
Description: (Required) Logging permissions assigned to the grantee for the bucket.
+ GranteeEmailAddress
Type: String
(Optional) Email address of the grantee.
+ GranteeId
Type: String
Description: (Optional) The canonical user ID of the grantee.
+ GranteeType
Type: String
Valid values: CanonicalUser \$1 AmazonCustomerByEmail \$1 Group
Description: (Required) Type of grantee.
+ GranteeUri
Type: String
Description: (Optional) URI of the grantee group.
+ TargetBucket
Type: String
Description: (Required) Specifies the bucket where you want Amazon S3 to store server access logs. You can have your logs delivered to any bucket that you own. You can also configure multiple buckets to deliver their logs to the same target bucket. In this case you should choose a different TargetPrefix for each source bucket so that the delivered log files can be distinguished by key.
+ TargetPrefix
Type: String
Default: /
Description: (Optional) Specifies a prefix for the keys under which the log files will be stored.
# `AWS-ConfigureS3BucketVersioning`
**Description**
Configure versioning for an Amazon Simple Storage Service (Amazon S3) bucket.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-ConfigureS3BucketVersioning)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ BucketName
Type: String
Description: (Required) The name of the Amazon S3 bucket you want to configure versioning for.
+ VersioningState
Type: String
Valid values: Enabled \$1 Suspended
Default: Enabled
Description: (Optional) Applied to the VersioningConfiguration.Status. When set to 'Enabled', this process enables versioning for the objects in the bucket, all objects added to the bucket receive a unique version ID. When set to `Suspended` , this process disables versioning for the objects in the bucket. All objects added to the bucket receive the version ID `null` .
# `AWSConfigRemediation-ConfigureS3BucketPublicAccessBlock`
**Description**
The `AWSConfigRemediation-ConfigureS3BucketPublicAccessBlock` runbook configures the Amazon Simple Storage Service (Amazon S3) public access block settings for an Amazon S3 bucket based on the values you specify in the runbook parameters.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-ConfigureS3BucketPublicAccessBlock)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ BlockPublicAcls
Type: Boolean
Default: true
Description: (Optional) If set to `true` , Amazon S3 blocks public access control lists (ACLs) for the S3 bucket, and objects stored in the S3 bucket you specify in the `BucketName` parameter.
+ BlockPublicPolicy
Type: Boolean
Default: true
Description: (Optional) If set to `true` , Amazon S3 blocks public bucket policies for the S3 bucket you specify in the `BucketName` parameter.
+ BucketName
Type: String
Description: (Required) The name of the S3 bucket you want to configure.
+ IgnorePublicAcls
Type: Boolean
Default: true
Description: (Optional) If set to `true` , Amazon S3 ignores all public ACLs for the S3 bucket you specify in the `BucketName` parameter.
+ RestrictPublicBuckets
Type: Boolean
Default: true
Description: (Optional) If set to `true` , Amazon S3 restricts public bucket policies for the S3 bucket you specify in the `BucketName` parameter.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `s3:GetAccountPublicAccessBlock`
+ `s3:PutAccountPublicAccessBlock`
+ `s3:GetBucketPublicAccessBlock`
+ `s3:PutBucketPublicAccessBlock`
**Document Steps**
+ `aws:executeAwsApi` - Creates or modifies the `PublicAccessBlock` configuration for the S3 bucket specified in the `BucketName` parameter.
+ `aws:executeScript` - Returns the `PublicAccessBlock` configuration for the S3 bucket specified in the `BucketName` parameter, and verifies the changes were successfully made based on the values specified in the runbook parameters.
# `AWSConfigRemediation-ConfigureS3PublicAccessBlock`
**Description**
The `AWSConfigRemediation-ConfigureS3PublicAccessBlock` runbook configures an AWS account's Amazon Simple Storage Service (Amazon S3) public access block settings based on the values you specify in the runbook parameters.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-ConfigureS3PublicAccessBlock)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AccountId
Type: String
Description: (Required) The ID of the AWS account that owns the S3 bucket you are configuring.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ BlockPublicAcls
Type: Boolean
Default: true
Description: (Optional) If set to `true` , Amazon S3 blocks public access control lists (ACLs) for S3 buckets owned by the AWS account you specify in the `AccountId` parameter.
+ BlockPublicPolicy
Type: Boolean
Default: true
Description: (Optional) If set to `true` , Amazon S3 blocks public bucket policies for S3 buckets owned by the AWS account you specify in the `AccountId` parameter.
+ IgnorePublicAcls
Type: Boolean
Default: true
Description: (Optional) If set to `true` , Amazon S3 ignores all public ACLs for S3 buckets owned by the AWS account you specify in the `AccountId` parameter.
+ RestrictPublicBuckets
Type: Boolean
Default: true
Description: (Optional) If set to `true` , Amazon S3 restricts public bucket policies for S3 buckets owned by the AWS account you specify in the `AccountId` parameter.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `s3:GetAccountPublicAccessBlock`
+ `s3:PutAccountPublicAccessBlock`
**Document Steps**
+ `aws:executeAwsApi` - Creates or modifies the `PublicAccessBlock` configuration for the AWS account specified in the `AccountId` parameter.
+ `aws:executeScript` - Returns the `PublicAccessBlock` configuration for the AWS account specified in the `AccountId` parameter, and verifies the changes were successfully made based on the values specified in the runbook parameters.
# `AWS-CreateS3PolicyToExpireMultipartUploads`
**Description**
The `AWS-CreateS3PolicyToExpireMultipartUploads` runbook creates a lifecycle policy for a specified bucket that expires incomplete, multi-part uploads in progress after a defined number of days. This runbook merges the new lifecycle policy with any existing lifecycle bucket policies that already exist.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-CreateS3PolicyToExpireMultipartUploads)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ BucketName
Type: String
Description: (Required) The name of the S3 bucket you want to configure.
+ DaysUntilExpire
Type: Integer
Description: (Required) The number of days Amazon S3 waits before permanently removing all parts of the upload.
+ RuleId
Type: String
Description: (Required) The ID used to identify the lifeycle bucket rule. This must be a unique value.
+ S3Prefix
Type: String
Description: (Optional) The key name prefix of the objects you want to apply the configuration to.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:GetAutomationExecution`
+ `ssm:StartAutomationExecution`
+ `s3:GetLifecycleConfiguration`
+ `s3:PutLifecycleConfiguration`
**Document Steps**
+ ConfigureExpireMultipartUploads (aws:executeScript) - Configures the lifecycle policy for the bucket.
+ VerifyExpireMultipartUploads (aws:executeScript) - Verifies the lifecycle policy has been configured for the bucket.
**Outputs**
+ `VerifyExpireMultipartUploads.VerifyExpireMultipartUploadsResponse`
+ `VerifyExpireMultipartUploads.LifecycleConfigurationRule`
# `AWS-DisableS3BucketPublicReadWrite`
**Description**
Use Amazon Simple Storage Service (Amazon S3) `Block Public Access` to disable read and write access for a public S3 bucket. For more information, see [Using Amazon S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) in the *Amazon Simple Storage Service User Guide* .
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-DisableS3BucketPublicReadWrite)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ S3BucketName
Type: String
Description: (Required) S3 bucket on which you want to restrict access.
# `AWS-EnableS3BucketEncryption`
**Description**
Configures default encryption for an Amazon Simple Storage Service (Amazon S3) bucket.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-EnableS3BucketEncryption)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ BucketName
Type: String
Description: (Required) The name of the S3 bucket where you want to encrypt the contents.
+ SSEAlgorithm
Type: String
Default: AES256
Description: (Optional) Server-side encryption algorithm to use for the default encryption.
# `AWS-EnableS3BucketKeys`
**Description**
The `AWS-EnableS3BucketKeys` runbook enables Bucket Keys on the Amazon Simple Storage Service (Amazon S3) bucket you specify. This bucket level key creates data keys for new objects during its lifecycle. If you don't specify a value for the `KmsKeyId` parameter, server-side encryption using Amazon S3 managed keys (SSE-S3) are used for the default encryption configuration.
**Note**
Amazon S3 Bucket Keys aren't supported for dual-layer server-side encryption with AWS Key Management Service (AWS KMS) keys (DSSE-KMS).
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-EnableS3BucketKeys)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ BucketName
Type: String
Description: (Required) The name of the S3 bucket you want to enable Bucket Keys for.
+ KMSKeyId
Type: String
Description: (Optional) The Amazon Resource Name (ARN), key ID, or the key alias of the AWS Key Management Service (AWS KMS) customer managed key you want to use for server-side encryption.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `s3:GetEncryptionConfiguration`
+ `s3:PutEncryptionConfiguration`
**Document Steps**
+ ChooseEncryptionType (aws:branch) - Evaluates the value provided for the `KmsKeyId` parameter to determine if SSE-S3 (AES256) or SSE-KMS will be used.
+ PutBucketKeysKMS (aws:executeAwsApi) - Sets the `BucketKeyEnabled` property to `true` for the specified S3 bucket using the specified `KmsKeyId`.
+ PutBucketKeysAES256 (aws:executeAwsApi) - Sets the `BucketKeyEnabled` property to `true` for the specified S3 bucket with AES256 encryption.
+ VerifyS3BucketKeysEnabled (aws:assertAwsResourceProperty) - Verifies that the Bucket Keys are enabled on the target S3 bucket.
# `AWSConfigRemediation-RemovePrincipalStarFromS3BucketPolicy`
**Description**
The `AWSConfigRemediation-RemovePrincipalStarFromS3BucketPolicy` runbook removes principal policy statements that have wildcards ( `Principal: *` or `Principal: "AWS": *` ) for `Allow` actions from your Amazon Simple Storage Service (Amazon S3) bucket policy. Policy statements with conditions are also removed.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-RemovePrincipalStarFromS3BucketPolicy)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ BucketName
Type: String
Description: (Required) The name of the Amazon S3 bucket whose policy you want to modify.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `s3:DeleteBucketPolicy`
+ `s3:GetBucketPolicy`
+ `s3:PutBucketPolicy`
**Document Steps**
+ `aws:executeScript` - Modifies the bucket policy and verifies principal policy statements with wildcards have been removed from the Amazon S3 bucket you specify in the `BucketName` parameter.
# `AWSConfigRemediation-RestrictBucketSSLRequestsOnly`
**Description**
The `AWSConfigRemediation-RestrictBucketSSLRequestsOnly` runbook creates an Amazon Simple Storage Service (Amazon S3) bucket policy statement that explicitly denies HTTP requests to the Amazon S3 bucket you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-RestrictBucketSSLRequestsOnly)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ BucketName
Type: String
Description: (Required) The name of the S3 bucket that you want to deny HTTP requests.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `s3:DeleteBucketPolicy`
+ `s3:GetBucketPolicy`
+ `s3:PutEncryptionConfiguration`
+ `s3:PutBucketPolicy`
**Document Steps**
+ `aws:executeScript` - Creates a bucket policy for the S3 bucket specified in the `BucketName` parameter that explicitly denies HTTP requests.
# `AWSSupport-TroubleshootS3PublicRead`
**Description**
The `AWSSupport-TroubleshootS3PublicRead` runbook diagnoses issues reading objects from the public Amazon Simple Storage Service (Amazon S3) bucket you specify in the `S3BucketName` parameter. A subset of settings are also analyzed for objects in the S3 bucket.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootS3PublicRead)
**Limitations**
+ This automation does not check for access points that allow public access to objects.
+ This automation does not evaluate condition keys in the S3 bucket policy.
+ If you're using AWS Organizations, this automation does not evaluate service control policies to confirm that access to Amazon S3 is allowed.
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ CloudWatchLogGroupName
Type: String
Description: (Optional) The Amazon CloudWatch Logs log group where you want to send the automation output. If a log group is not found that matches the value you specify, the automation will create a log group using this parameter value. The retention period for the log group created by this automation is 14 days.
+ CloudWatchLogStreamName
Type: String
Description: (Optional) The CloudWatch Logs log stream where you want to send the automation output. If a log stream is not found that matches the value you specify, the automation will create a log stream using this parameter value. If you do not specify a value for this parameter, the automation will use the `ExecutionId` for the name of the log stream.
+ HttpGet
Type: Boolean
Valid values: true \$1 false
Default: true
Description: (Optional) If this parameter is set to `true` , the automation makes a partial HTTP request to the objects in the `S3BucketName` you specify. Only the first byte of the object is returned using the Range HTTP header.
+ IgnoreBlockPublicAccess
Type: Boolean
Valid values: true \$1 false
Default: false
Description: (Optional) If this parameter is set to `true` , the automation ignores the public access block settings of the S3 bucket you specify in the `S3BucketName` parameter. Changing this parameter from the default value is not recommended.
+ MaxObjects
Type: Integer
Valid values: 1-25
Default: 5
Description: (Optional) The number of objects to analyze in the S3 bucket you specify in the `S3BucketName` parameter.
+ S3BucketName
Type: String
Description: (Required) The name of the S3 bucket to troubleshoot.
+ S3PrefixName
Type: String
Description: (Optional) The key name prefix of the objects you want to analyze in your S3 bucket. For more information, see [Object keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingMetadata.html#object-keys) in the *Amazon Simple Storage Service User Guide* .
+ StartAfter
Type: String
Description: (Optional) The object key name where you want the automation to begin analyzing objects in your S3 bucket.
+ ResourcePartition
Type: String
Valid values: `aws` \$1 `aws-us-gov` \$1 `aws-cn`
Default: `aws`
Description: (Required) The partition where your S3 bucket is located.
+ Verbose
Type: Boolean
Valid values: true \$1 false
Default: false
Description: (Optional) To return more detailed information during the automation, set this parameter to `true` . Only warning and error messages will be returned if the parameter is set to `false` .
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
The `logs:CreateLogGroup` , `logs:CreateLogStream` , and `logs:PutLogEvents` permissions are only required if you want the automation to send log data to CloudWatch Logs.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:SimulateCustomPolicy",
"iam:GetContextKeysForCustomPolicy",
"s3:ListAllMyBuckets",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutRetentionPolicy",
"s3:GetAccountPublicAccessBlock"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket1/*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPolicy",
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket1",
"Effect": "Allow"
}
]
}
```
------
**Document Steps**
+ `aws:assertAwsResourceProperty` - Confirms the S3 bucket exists, and is accessible.
+ `aws:executeScript` - Returns the S3 bucket location and your canonical user ID.
+ `aws:executeScript` - Returns the public access block settings for your account and the S3 bucket.
+ `aws:assertAwsResourceProperty` - Confirms the S3 bucket payer is set to `BucketOwner` . If `Requester Pays` is enabled on the S3 bucket, the automation ends.
+ `aws:executeScript` - Returns the S3 bucket policy status and determines whether it is considered public. For more information about public S3 buckets, see [The meaning of "public"](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon Simple Storage Service User Guide* .
+ `aws:executeAwsApi` - Returns the S3 bucket policy.
+ `aws:executeAwsApi` - Returns all context keys found in the S3 bucket policy.
+ `aws:assertAwsResourceProperty` - Confirms whether there is an explicit deny in the S3 bucket policy for the `GetObject` API action.
+ `aws:executeAwsApi` - Returns the access control list (ACL) for the S3 bucket.
+ `aws:executeScript` - Creates a CloudWatch Logs log group and log stream if you specify a value for the `CloudWatchLogGroupName` parameter.
+ `aws:executeScript` - Based on the values you specify in the runbook input parameters, evaluates whether any of the S3 bucket settings gathered during the automation are preventing objects from being accessed by the public. This script performs the following functions:
+ Evaluates public access block settings
+ Returns objects from your S3 bucket based on the values you specify in the `MaxObjects` , `S3PrefixName` , and `StartAfter` parameters.
+ Returns the S3 bucket policy to simulate a custom IAM policy for the objects returned from your S3 bucket.
+ Performs a partial HTTP request to the returned objects if the `HttpGet` parameter is set to `true` . Only the first byte of the object is returned using the Range HTTP header.
+ Checks the returned object's key name to confirm whether it ends with one or two periods. Object key names that end in periods can't be downloaded from the Amazon S3 console.
+ Checks whether the returned object's owner matches the owner of the S3 bucket.
+ Checks whether the object's ACL grants `READ` or `FULL_CONTROL` permissions to anonymous users.
+ Returns tags associated with the object.
+ Uses the simulated IAM policy to confirm whether there is an explicit deny for this object in the S3 bucket policy for the `GetObject` API action.
+ Returns the object's metadata to confirm that the storage class is supported.
+ Checks the object's server-side encryption settings to confirm whether the object is encrypted using a AWS Key Management Service (AWS KMS) customer managed key.
**Outputs**
AnalyzeObjects.bucket
AnalyzeObjects.object
# `AWSSupport-ConfigureS3ReplicationSameAndCrossAccount`
**Description**
The `AWSSupport-ConfigureS3ReplicationSameAndCrossAccount` automation runbook configures Amazon Simple Storage Service (Amazon S3) bucket replication between a source and destination bucket for same or cross accounts. This automation supports replication of buckets encrypted with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) and Server-Side Encryption with AWS Key Management Service (SSE-KMS). It also supports prefix and tag-based selective replication filtering, Amazon S3 Replication Time Control (Amazon S3 RTC) with 15-minute SLA, and delete marker replication. The automation performs the following actions:
+ Validates input parameters and bucket configurations for compatibility.
+ Checks encryption settings on both source and destination buckets.
+ Creates a new AWS Identity and Access Management (IAM) role with appropriate permissions for replication if not provided as an input.
+ Configures replication rules based on specified parameters (prefix, tags, or entire bucket).
+ Enables bucket versioning if not already enabled.
+ Sets up replication configuration with optional features like Replication Time Control (RTC) and delete marker replication.
**Important**
**This automation does not support buckets with existing replication rules.** The source bucket must not have any existing replication configuration.
**This automation creates a new IAM role** with appropriate permissions for replication if S3ReplicationRole input is not provided.
**This automation does not replicate existing objects.** Amazon S3 replication only applies to objects uploaded/created after the replication configuration is enabled.
For cross-account replication, you must provide an IAM role in the destination account with appropriate permissions for Amazon S3 operations and AWS KMS operations (if bucket uses AWS KMS encryption).
This automation uses the `aws:approve` action, which temporarily pauses execution until the designated principals approve the configuration changes. See [Running an automation with approvers](https://docs.aws.amazon.com//systems-manager/latest/userguide/running-automations-require-approvals.html) for more information.
**How does it work?**
The runbook performs the following steps:
+ **ValidateInputParameters**: Validates all input parameters for correctness and compatibility to ensure proper replication configuration.
+ **PrepareApprovalMessage**: Prepares an approval message with all replication configuration parameters for user review.
+ **RequestApproval**: Requests approval from authorized users before adding Amazon S3 replication configuration on the source bucket.
+ **CheckBucketEncryption**: Checks encryption configuration for both source and destination Amazon S3 buckets to determine compatible replication settings.
+ **BranchOnEncryptionType**: Branches execution based on Amazon S3 bucket encryption type to apply appropriate replication configuration for SSE-S3 or SSE-KMS encrypted buckets.
+ **ConfigureSSES3Replication**: Configures Amazon S3 replication for buckets encrypted with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), including IAM roles and replication rules.
+ **ConfigureSSEKMSReplication**: Configures Amazon S3 replication for buckets encrypted with Server-Side Encryption with AWS KMS (SSE-KMS), including IAM roles, KMS key permissions, and replication rules.
+ **CleanupResources**: Cleans up IAM role created during failed replication configuration when S3ReplicationRole is not provided as an input.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ConfigureS3ReplicationSameAndCrossAccount)
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ s3:ListBucket
+ s3:GetBucketVersioning
+ s3:GetEncryptionConfiguration
+ s3:GetBucketLocation
+ s3:GetReplicationConfiguration
+ s3:PutBucketVersioning
+ s3:PutReplicationConfiguration
+ iam:ListRoles
+ iam:GetRole
+ iam:GetRolePolicy
+ iam:ListRoleTags
+ iam:ListAttachedRolePolicies
+ iam:ListRolePolicies
+ iam:SimulatePrincipalPolicy
+ iam:CreateRole
+ iam:TagRole
+ iam:PassRole
+ iam:DeleteRole
+ iam:DeleteRolePolicy
+ iam:DetachRolePolicy
+ iam:PutRolePolicy
+ sts:GetCallerIdentity
+ sns:Publish
+ kms:GetKeyPolicy (when buckets use SSE-KMS, same-account replication)
+ kms:DescribeKey (when buckets use SSE-KMS, same-account replication)
+ kms:PutKeyPolicy (when buckets use SSE-KMS, same-account replication)
+ sts:AssumeRole (for cross-account replication)
**CrossAccountReplicationRole (for cross-account scenarios):**
For cross-account replication, you must provide a CrossAccountReplicationRole in the destination account with the following permissions:
+ s3:ListBucket
+ s3:GetBucketVersioning
+ s3:GetBucketLocation
+ s3:GetBucketPolicy
+ s3:GetEncryptionConfiguration
+ s3:PutBucketVersioning
+ s3:PutBucketPolicy
+ kms:GetKeyPolicy (when cross-account destination bucket use SSE-KMS)
+ kms:DescribeKey (when cross-account destination bucket use SSE-KMS)
+ kms:PutKeyPolicy (when cross-account destination bucket use SSE-KMS)
**S3ReplicationRole (customer-provided role):**
If you provide an existing S3ReplicationRole, it must have the following permissions:
+ s3:ListBucket
+ s3:GetBucketLocation
+ s3:GetReplicationConfiguration
+ s3:GetObjectVersionAcl
+ s3:GetObjectVersionTagging
+ s3:GetObjectVersionForReplication
+ s3:GetObjectTagging
+ s3:ReplicateObject
+ s3:ReplicateDelete
+ s3:ReplicateTags
+ s3:ObjectOwnerOverrideToBucketOwner
+ kms:Decrypt (for SSE-KMS scenarios, source KMS key)
+ kms:Encrypt (for SSE-KMS scenarios, destination KMS key)
+ kms:GenerateDataKey (for SSE-KMS scenarios, destination KMS key)
+ kms:ReEncrypt\$1 (for SSE-KMS scenarios, destination KMS key)
Example **AutomationAssumeRole** policy for **same-account replication**:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:PutBucketVersioning",
"s3:PutReplicationConfiguration"
],
"Resource": [
"arn:aws:s3:::SOURCE_BUCKET",
"arn:aws:s3:::DESTINATION_BUCKET"
]
},
{
"Sid": "IAMReadOperations",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
},
{
"Sid": "IAMListRolesForCleanup",
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*"
},
{
"Sid": "IAMCreateAndTagRole",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:TagRole"
],
"Resource": "arn:aws:iam::ACCOUNT_ID:role/S3RepRole-*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWSSupport-ConfigureS3ReplicationSameAndCrossAccount": "*"
}
}
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::ACCOUNT_ID:role/S3RepRole-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "s3.amazonaws.com"
}
}
},
{
"Sid": "TaggedIAMRoleModifyAndDeleteOperations",
"Effect": "Allow",
"Action": [
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::ACCOUNT_ID:role/S3RepRole-*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AWSSupport-ConfigureS3ReplicationSameAndCrossAccount": "*"
}
}
},
{
"Sid": "STSGetCallerIdentity",
"Effect": "Allow",
"Action": "sts:GetCallerIdentity",
"Resource": "*"
},
{
"Sid": "SNSPublish",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "SNS_TOPIC_ARN"
},
{
"Sid": "KMSKeyReadOperations",
"Effect": "Allow",
"Action": [
"kms:GetKeyPolicy",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:REGION:ACCOUNT_ID:key/SOURCE_KMS_KEY_ID",
"arn:aws:kms:REGION:ACCOUNT_ID:key/DESTINATION_KMS_KEY_ID"
]
},
{
"Sid": "KMSKeyMutatingOperations",
"Effect": "Allow",
"Action": "kms:PutKeyPolicy",
"Resource": [
"arn:aws:kms:REGION:ACCOUNT_ID:key/SOURCE_KMS_KEY_ID",
"arn:aws:kms:REGION:ACCOUNT_ID:key/DESTINATION_KMS_KEY_ID"
],
"Condition": {
"StringEquals": {
"kms:CallerAccount": "ACCOUNT_ID"
}
}
}
]
}
```
**Note**
The Policy statements (KMSKeyReadOperations and KMSKeyMutatingOperations) are only required when buckets use SSE-KMS encryption.
Example **AutomationAssumeRole** policy for **cross-account replication**:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3SourceBucketOperations",
"Effect": "Allow",
"Action": [
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:PutBucketVersioning",
"s3:PutReplicationConfiguration"
],
"Resource": "arn:aws:s3:::SOURCE_BUCKET"
},
{
"Sid": "IAMReadOperations",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
},
{
"Sid": "IAMListRolesForCleanup",
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*"
},
{
"Sid": "IAMCreateAndTagRole",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:TagRole"
],
"Resource": "arn:aws:iam::SOURCE_ACCOUNT_ID:role/S3RepRole-*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWSSupport-ConfigureS3ReplicationSameAndCrossAccount": "*"
}
}
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::SOURCE_ACCOUNT_ID:role/S3RepRole-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "s3.amazonaws.com"
}
}
},
{
"Sid": "TaggedIAMRoleModifyAndDeleteOperations",
"Effect": "Allow",
"Action": [
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::SOURCE_ACCOUNT_ID:role/S3RepRole-*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AWSSupport-ConfigureS3ReplicationSameAndCrossAccount": "*"
}
}
},
{
"Sid": "CrossAccountRoleAssumption",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "CROSS_ACCOUNT_REPLICATION_ROLE_ARN"
},
{
"Sid": "STSGetCallerIdentity",
"Effect": "Allow",
"Action": "sts:GetCallerIdentity",
"Resource": "*"
},
{
"Sid": "SNSPublish",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "SNS_TOPIC_ARN"
},
{
"Sid": "KMSSourceKeyReadOperations",
"Effect": "Allow",
"Action": [
"kms:GetKeyPolicy",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:SOURCE_REGION:SOURCE_ACCOUNT_ID:key/SOURCE_KMS_KEY_ID"
},
{
"Sid": "KMSSourceKeyMutatingOperations",
"Effect": "Allow",
"Action": "kms:PutKeyPolicy",
"Resource": "arn:aws:kms:SOURCE_REGION:SOURCE_ACCOUNT_ID:key/SOURCE_KMS_KEY_ID",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "SOURCE_ACCOUNT_ID"
}
}
}
]
}
```
**Note**
The Policy statements (KMSSourceKeyReadOperations and KMSSourceKeyMutatingOperations) are only required when the source bucket uses SSE-KMS encryption.
Replace CROSS\$1ACCOUNT\$1REPLICATION\$1ROLE\$1ARN with the actual CrossAccountReplicationRole parameter value you provide to the automation.
Example **CrossAccountReplicationRole** policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3DestinationBucketReadOperations",
"Effect": "Allow",
"Action": [
"s3:GetBucketVersioning",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:ListBucket",
"s3:PutBucketVersioning",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::DESTINATION_BUCKET"
},
{
"Sid": "KMSDestinationKeyReadOperations",
"Effect": "Allow",
"Action": [
"kms:GetKeyPolicy",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:DESTINATION_REGION:DESTINATION_ACCOUNT_ID:key/DESTINATION_KMS_KEY_ID"
},
{
"Sid": "KMSDestinationKeyMutatingOperations",
"Effect": "Allow",
"Action": "kms:PutKeyPolicy",
"Resource": "arn:aws:kms:DESTINATION_REGION:DESTINATION_ACCOUNT_ID:key/DESTINATION_KMS_KEY_ID",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "DESTINATION_ACCOUNT_ID"
}
}
}
]
}
```
**Note**
The KMS statements (KMSDestinationKeyReadOperations and KMSDestinationKeyMutatingOperations) are only required when the destination bucket uses SSE-KMS encryption. Remove these statements for SSE-S3 scenarios.
Example CrossAccountReplicationRole trust policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "AUTOMATION_ASSUME_ROLE_ARN"
},
"Action": "sts:AssumeRole"
}
]
}
```
**Note**
Replace AUTOMATION\$1ASSUME\$1ROLE\$1ARN with the actual AutomationAssumeRole parameter value you provide to the automation.
Example **S3ReplicationRole** policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3SourceBucketPermissions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionForReplication",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::SOURCE_BUCKET",
"arn:aws:s3:::SOURCE_BUCKET/*"
]
},
{
"Sid": "S3DestinationBucketPermissions",
"Effect": "Allow",
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource": "arn:aws:s3:::DESTINATION_BUCKET/*"
},
{
"Sid": "S3CrossAccountPermissions",
"Effect": "Allow",
"Action": "s3:ObjectOwnerOverrideToBucketOwner",
"Resource": "arn:aws:s3:::DESTINATION_BUCKET/*"
},
{
"Sid": "KMSSourceKeyPermissions",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:SOURCE_REGION:SOURCE_ACCOUNT_ID:key/SOURCE_KMS_KEY_ID"
},
{
"Sid": "KMSDestinationKeyPermissions",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncrypt*"
],
"Resource": "arn:aws:kms:DESTINATION_REGION:DESTINATION_ACCOUNT_ID:key/DESTINATION_KMS_KEY_ID"
}
]
}
```
**Note**
The KMS statements (KMSSourceKeyPermissions and KMSDestinationKeyPermissions) are only required when buckets use SSE-KMS encryption.
The S3CrossAccountPermissions statement is only required for cross-account bucket replication.
Example S3ReplicationRole trust policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
**Instructions**
Follow these steps to configure the automation:
1. Navigate to [https://console.aws.amazon.com/systems-manager/documents/AWSSupport-ConfigureS3ReplicationSameAndCrossAccount/description](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-ConfigureS3ReplicationSameAndCrossAccount/description) in Systems Manager under Documents.
1. Select **Execute automation.**
1. For the input parameters, enter the following:
+ **AutomationAssumeRole (Required):**
+ Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ Type: `AWS::IAM::Role::Arn`
+ **SourceBucket (Required):**
+ Description: (Required) The name of the source Amazon S3 bucket where replication rules will be created or updated.
+ Type: `AWS::S3::Bucket::Name`
+ **DestinationBucket (Required):**
+ Description: (Required) The name of the destination Amazon S3 bucket where objects will be replicated to.
+ Type: `String`
+ Allowed Pattern: `^[0-9a-z][a-z0-9\\-\\.]{3,63}$`
+ **SourceAccountId (Required):**
+ Description: (Required) The AWS Account ID where the source bucket is located.
+ Type: `String`
+ Allowed Pattern: `^[0-9]{12,13}$`
+ **DestinationAccountId (Required):**
+ Description: (Required) The AWS Account ID where the destination bucket is located.
+ Type: `String`
+ Allowed Pattern: `^[0-9]{12,13}$`
+ **SnsNotificationArn (Required):**
+ Description: (Required) The ARN of an Amazon Simple Notification Service (Amazon SNS) topic for Automation approvals.
+ Type: `String`
+ Allowed Pattern: `^arn:(aws|aws-cn|aws-us-gov|aws-iso(-[a-z])?):sns:[a-z]{2}(-gov)?(-iso[a-z]?)?-[a-z]{2,10}-[0-9]{1,2}:\\d{12}:[0-9a-zA-Z-_]{1,256}(.fifo)?$`
+ **Approvers (Required):**
+ Description: (Required) The list of IAM user/role ARNs authorized to approve the automation execution.
+ Type: `StringList`
+ Allowed Pattern: `^arn:(aws|aws-cn|aws-us-gov|aws-iso(-[a-z])?):iam::\\d{12}:(user|role)/[\\w+=,.@\\-/]+$`
+ **S3ReplicationRole (Optional):**
+ Description: (Optional) The ARN of an existing IAM role to use for Amazon S3 replication operations. This role must have permissions to read from the source bucket and write to the destination bucket, including KMS permissions if buckets use SSE-KMS encryption. If not provided, the automation will create a new role with appropriate permissions.
+ Type: `String`
+ Allowed Pattern: `^$|^arn:(aws|aws-cn|aws-us-gov|aws-iso(-[a-z])?):iam::\\d{12}:role/[\\w+=,.@\\-/]+$`
+ Default: `""`
+ **CrossAccountReplicationRole (Optional):**
+ Description: (Optional) The ARN of an IAM role in the destination account that the automation can assume. This is required for cross-account replication. For same-account replication, leave this empty.
+ Type: `String`
+ Allowed Pattern: `^$|^arn:(aws|aws-cn|aws-us-gov|aws-iso(-[a-z])?):iam::\\d{12}:role/[\\w+=,.@\\-/]+$`
+ Default: `""`
+ **ReplicateEntireBucket (Optional):**
+ Description: (Optional) If set to `true`, the entire bucket will be replicated and both Prefix and Tags must be empty. If false, replication will be based on specified prefix or tags.
+ Type: `Boolean`
+ Allowed Values: `[true, false]`
+ Default: `true`
+ **ReplicationRuleStatus (Optional):**
+ Description: (Optional) If set to `true`, replication rules created will be enabled. If set to `false`, replication rules created will be set to **Disabled**.
+ Type: `Boolean`
+ Allowed Values: `[true, false]`
+ Default: `true`
+ **DeleteMarkerReplicationStatus (Optional):**
+ Description: (Optional) If set to `true`, the automation enables delete marker replication.
+ Type: `Boolean`
+ Allowed Values: `[true, false]`
+ Default: `false`
+ **ReplicationTimeControl (Optional):**
+ Description: (Optional) If set to `true`, enables Amazon S3 Replication Time Control (Amazon S3 RTC) with 15-minute SLA for predictable replication times.
+ Type: `Boolean`
+ Allowed Values: `[true, false]`
+ Default: `false`
+ **ReplicaModifications (Optional):**
+ Description: (Optional) If set to `true`, enables replication of metadata changes made to replica objects, allowing modifications to replicated objects to be synchronized back to the source.
+ Type: `Boolean`
+ Allowed Values: `[true, false]`
+ Default: `false`
+ **Prefix (Optional):**
+ Description: (Optional) Prefix filter for selective replication of objects with specific key prefixes. Prefix must end with a trailing slash (/) for proper Amazon S3 prefix filtering.
+ Type: `String`
+ Allowed Pattern: `^$|^[a-zA-Z0-9!_'()\\-]*/+$`
+ Default: `""`
+ **Tags (Optional):**
+ Description: (Optional) JSON array of tags for filtering objects to replicate. Format for single tag: [\$1"Key":"TagKey","Value":"TagValue"\$1] and for multiple tags: [\$1"Key":"TagKey1","Value":"TagValue1"\$1,\$1"Key":"TagKey2","Value":"TagValue2"\$1].
+ Type: `String`
+ Allowed Pattern: `^\\[((\\{\"Key\":\"[a-zA-Z0-9+\\-=.:/ @\\s]{1,128}\",\"Value\":\"[a-zA-Z0-9+\\-=.:/@\\s]{0,256}\"\\})(,\\{\"Key\":\"[a-zA-Z0-9+\\-=.:/ @\\s]{1,128}\",\"Value\":\"[a-zA-Z0-9+\\-=.:/@\\s]{0,256}\"\\})*)?\\]$`
+ Default: `[]`
1. Select **Execute.**
1. The automation initiates.
1. The document performs the following steps:
+ **ValidateInputParameters**:
Validates all input parameters for correctness and compatibility to ensure proper replication configuration.
+ **PrepareApprovalMessage**:
Prepares the approval message with all replication configuration parameters for user review.
+ **RequestApproval**:
Requests approval from authorized users before proceeding with Amazon S3 replication configuration changes.
+ **CheckBucketEncryption**:
Checks encryption configuration for both source and destination Amazon S3 buckets to determine compatible replication settings.
+ **BranchOnEncryptionType**:
Branches execution based on Amazon S3 bucket encryption type to apply appropriate replication configuration for SSE-S3 or SSE-KMS encrypted buckets.
+ **ConfigureSSES3Replication**:
Configures Amazon S3 replication for buckets encrypted with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), including IAM roles and replication rules.
+ **ConfigureSSEKMSReplication**:
Configures Amazon S3 replication for buckets encrypted with Server-Side Encryption with AWS KMS (SSE-KMS), including IAM roles, KMS key permissions, and replication rules.
+ **CleanupResources**:
Cleans up IAM roles created during failed replication configuration when S3ReplicationRole was not provided by the customer.
1. After completion, review the outputs from the **ConfigureSSES3Replication** step (for SSE-S3 encrypted buckets) or the **ConfigureSSEKMSReplication** step (for SSE-KMS encrypted buckets) for the results of the execution, including replication configuration status along with the IAM role used for Replication.
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-ConfigureS3ReplicationSameAndCrossAccount/description)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows](https://aws.amazon.com/premiumsupport/technology/saw/)
# `AWSSupport-EmptyS3Bucket`
**Description**
The `AWSSupport-EmptyS3Bucket` automation runbook empties an existing Amazon Simple Storage Service (Amazon S3) bucket by using a lifecycle expiration configuration rule.
**Important**
Amazon S3 buckets with Multi-factor Authentication (MFA) enabled are not supported.
The lifecycle rules modified by this runbook permanently delete all objects and their versions in the specified Amazon S3 bucket. You cannot recover permanently deleted objects. For more information, review [Expiring Objects](https://docs.aws.amazon.com//AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html).
**How does it work?**
The runbook `AWSSupport-EmptyS3Bucket` performs the following high-level steps:
+ Suspends bucket versioning, if enabled.
+ Updates the bucket policy to deny any `s3:PutObject` API calls (to prevent new uploads while it is being emptied).
+ Updates the lifecycle rules to delete all the objects according to the expiration days specified in the input parameters.
**Note**
Object versions protected with Amazon S3 Object Lock are not deleted or overwritten by lifecycle configurations.
The deletion process is asynchronous and may take time to complete after the runbook execution finishes.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-EmptyS3Bucket)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
/
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
The AutomationAssumeRole parameter requires the following actions to successfully use the runbook:
+ ssm:DescribeAutomationExecutions
+ ssm:GetAutomationExecution
+ s3:GetBucketVersioning
+ s3:PutBucketVersioning
+ s3:GetBucketPolicy
+ s3:GetBucketLifecycleConfiguration
+ s3:GetLifecycleConfiguration
+ s3:PutBucketPolicy
+ s3:PutBucketLifecycleConfiguration
+ s3:PutLifecycleConfiguration
+ s3:DeleteBucketPolicy
+ s3:DeleteBucketLifecycle
**Instructions**
Follow these steps to configure the automation:
1. Navigate to [https://console.aws.amazon.com/systems-manager/documents/AWSSupport-EmptyS3Bucket/description](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-EmptyS3Bucket/description) in Systems Manager under Documents.
1. Select Execute automation.
1. For the input parameters, enter the following:
+ **AutomationAssumeRole (Optional):**
The Amazon Resource Name (ARN) of the AWS AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user who starts this runbook.
+ **S3BucketName:**
The name of the Amazon S3 bucket you want to empty.
+ **SNSTopicArn:**
Provide the ARN of the Amazon SNS Topic for approval notification. This Amazon SNS topic is used to send approval notifications during required during the automation execution.
+ **ApproverIAM:**
Provide a list of AWS authenticated principals who are able to either approve or reject the action. The maximum number of approvers is `10`. You can specify principals by using any of these formats, an AWS Identity and Access Management (IAM) user name, an IAM user ARN, an IAM role ARN, or an IAM assume role user ARN.
+ **MinimumRequiredApprovals (Optional):**
The minimum number of approvals required to resume the automation. If you don't specify a value, the system defaults to `1`. The value for this parameter must be a positive number. The value for this parameter can't exceed the number of approvers defined by the ApproverIAM parameter.
+ **NoncurrentVersionExpirationDays (Optional):**
Specify the number of days when noncurrent object versions expire. Upon expiration, Amazon S3 permanently deletes the noncurrent object versions.
+ Default: `1`
+ Maximum Value: `365`
+ **ExpirationDays (Optional):**
Specify the expiration for the lifecycle of the object in the form days.
+ Default: `1`
+ Maximum Value: `365`
+ **AbortIncompleteMultipartUpload (Optional):**
Specify the days since the initiation of an incomplete multipart upload that Amazon S3 will wait before permanently removing all parts of the upload.
+ Default: `1`
+ Maximum Value: `365`
+ **Acknowledgement:**
Please read the complete details of the actions performed by this automation runbook and provide consent `Yes, I understand and acknowledge` if you acknowledge the steps.
![\[Image containing sample input parameters for AWSSupport-EmptyS3Bucket document.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-empty-s3-bucket_input_parameters.png)
1. Select Execute.
1. The automation initiates.
1. The document performs the following steps:
+ **`checkConcurrency`**:
Ensures there is only one execution of this runbook targeting the specified Amazon S3 bucket. If the runbook finds another in progress execution targeting the same bucket name, it returns an error and ends.
+ **`getBucketVersioningConfiguration`**:
Fetches the versioning status of the specified Amazon S3 bucket.
+ **`branchOnStoppingIfMFADeleteEnabled`** (conditional):
Stops the automation if Multi-factor Authentication (MFA) is enabled on the specified Amazon S3 bucket.
+ **`approvalToMakeChangesToTheProvidedS3Bucket`**:
Waits for designated principals approval to disable bucket versioning and update the bucket policy and lifecycle rules configuration for the specified Amazon S3 bucket.
+ **`branchOnBucketVersioningStatus`** (conditional):
If versioning is enabled on the specified Amazon S3 bucket, disable it, otherwise continue to update bucket policy and lifecycle configuration.
+ **`suspendBucketVersioning`**:
Suspends the versioning state of the specified Amazon S3 bucket.
+ **`updateBucketPolicyAndLifeCycleConfiguration`**:
Adds or updates the bucket policy to deny all `s3:PutObject` requests and updates the lifecycle configuration to expire objects based on the user provided inputs parameters.
+ **`branchOnFailingIfBucketPropertiesNotUpdated`** (conditional):
Checks the status of the `updateBucketPolicyAndLifeCycleConfiguration` step and tries to revert the original bucket versioning state if changed by automation.
+ **`branchOnFailureOriginalVersioningStatus`** (conditional):
On failure, branches to determine the original versioning status. If was enabled and suspended by this automation, tries to enable it again.
+ **`onFailureRestoreBucketVersioning`**
Restores the enabled versioning state of the specified Amazon S3 bucket.
1. After completed, review the Outputs section for the detailed results of the execution:
![\[Image containing the output of the AWSSupport-EmptyS3Bucket document's execution showing successful execution and configured lifecycle policy.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-empty-s3-bucket_outputs.png)
+ **Successful execution**
This workflow updates the bucket's lifecycle rule. Objects will be deleted according to the `Delete-All-AWSSupport-EmptyS3-Bucket` lifecycle policy.
![\[Image containing configured Delete-All-AWSSupport-EmptyS3-Bucket lifecycle policy.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-empty-s3-bucket_outputs_lifecycle_policy.png)
+ **Failure execution**
Partial deletion will not be performed. If execution fails, the lifecycle and other bucket settings are rolled back.
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-EmptyS3Bucket/description)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows](https://aws.amazon.com/premiumsupport/technology/saw/)
For more information on managing Amazon S3 buckets and objects, see [Emptying a bucket](https://docs.aws.amazon.com//AmazonS3/latest/userguide/empty-bucket.html).
# `AWSSupport-TroubleshootS3EventNotifications`
**Description**
The `AWSSupport-TroubleshootS3EventNotifications` AWS Systems Manager automation runbook helps troubleshoot Amazon Simple Storage Service (Amazon S3) Bucket Event Notifications configured with AWS Lambda Functions, Amazon Simple Notification Service (Amazon SNS) Topics, or Amazon Simple Queue Service (Amazon SQS) Queues. It provides a configuration settings report of the different resources configured with the the Amazon S3 Bucket as a destination event notification.
**How does it work?**
The runbook performs the following steps:
+ Checks if the Amazon S3 Bucket exists in the same account where `AWSSupport-TroubleshootS3EventNotifications` is executed.
+ Fetches the destination resources (AWS Lambda Function, or Amazon SNS Topic or Amazon SQS queue) configured as Event Notifications for the Amazon S3 Bucket using the [GetBucketNotificationConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketNotificationConfiguration.html) API.
+ Validates that the destination resource exists, then reviews the resource-based policy of the destination resources to determine if Amazon S3 is allowed to publish to the destination.
+ If you encrypted the destination with an AWS Key Management Service (AWS KMS) key, the key policy is checked to determine if Amazon S3 access is allowed.
+ Generates a report of all the destination resource checks.
**Important**
This runbook can only evaluate event notification configurations if the Amazon S3 bucket owner is the same as the AWS account owner where the automation runbook is being executed.
Additionally, this runbook cannot evaluate policies on destination resources that are hosted in another AWS account.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootS3EventNotifications)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ S3BucketName
Type: `AWS::S3::Bucket::Name`
Description: (Required) The name of the Amazon S3 bucket configured with event notification(s).
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `s3:GetBucketLocation`
+ `s3:ListAllMyBuckets`
+ `s3:GetBucketNotification`
+ `sqs:GetQueueAttributes`
+ `sqs:GetQueueUrl`
+ `sns:GetTopicAttributes `
+ `kms:GetKeyPolicy`
+ `kms:DescribeKey`
+ `kms:ListAliases`
+ `lambda:GetPolicy`
+ `lambda:GetFunction`
+ `iam:GetContextKeysForCustomPolicy`
+ `iam:SimulateCustomPolicy`
+ `iam:ListRoles`
+ `ssm:DescribeAutomationStepExecutions`
**Example IAM Policy for the Automation Assume Role**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3Permission",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "S3PermissionGetBucketNotification",
"Effect": "Allow",
"Action": [
"s3:GetBucketNotification"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket"
},
{
"Sid": "SQSPermission",
"Effect": "Allow",
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:*"
},
{
"Sid": "SNSPermission",
"Effect": "Allow",
"Action": [
"sns:GetTopicAttributes"
],
"Resource": "arn:aws:sns:us-east-1:111122223333:*"
},
{
"Sid": "KMSPermission",
"Effect": "Allow",
"Action": [
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListAliases"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id"
},
{
"Sid": "LambdaPermission",
"Effect": "Allow",
"Action": [
"lambda:GetPolicy",
"lambda:GetFunction"
],
"Resource": "arn:aws:lambda:us-east-1:111122223333:function:*"
},
{
"Sid": "IAMPermission",
"Effect": "Allow",
"Action": [
"iam:GetContextKeysForCustomPolicy",
"iam:SimulateCustomPolicy",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "SSMPermission",
"Effect": "Allow",
"Action": [
"ssm:DescribeAutomationStepExecutions"
],
"Resource": "*"
}
]
}
```
------
**Instructions**
Follow these steps to configure the automation:
1. Navigate to [https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootS3EventNotifications/description](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootS3EventNotifications/description) in Systems Manager under Documents.
1. Select Execute automation.
1. For the input parameters, enter the following:
+ **AutomationAssumeRole (Optional):**
The Amazon Resource Name (ARN) of the AWS AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user who starts this runbook.
+ **S3BucketName (Required):**
The name of the Amazon S3 bucket configured with event notification(s).
![\[AWSSupport-TroubleshootS3EventNotification runbook execution input parameters.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-s3-event-notifications_input_parameters.png)
1. Select Execute.
1. The automation initiates.
1. The document performs the following steps:
+ **ValidateInputs**
Validates Amazon S3 bucket provided belongs to the same account where the automation is executed and fetch the region the bucket is hosted.
+ **GetBucketNotificationConfiguration**
Calls `GetBucketNotificationConfiguration` API to review Event Notifications configured with the Amazon S3 bucket and formats output.
+ **BranchOnSQSResourcePolicy**
Branches on whether there are Amazon SQS resources in event notifications.
+ **ValidateSQSResourcePolicy**
Validates resource policy on Amazon SQS Queue attributes has `sqs:SendMessage` permission for Amazon S3. If the Amazon SQS resource is encrypted, checks that encryption is not using default AWS KMS key i.e. `aws/sqs` and checks that AWS KMS key policy has permissions for Amazon S3.
+ **BranchOnSNSResourcePolicy**
Branches on whether there are Amazon SNS resources in event notifications.
+ **ValidateSNSResourcePolicy**
Validates resource policy on Amazon SNS Topic attributes has `sns:Publish` permission for Amazon S3. If the Amazon SNS resource is encrypted, checks that encryption is not using default AWS KMS key i.e. `aws/sns` and checks that AWS KMS key policy has permissions for Amazon S3.
+ **BranchOnLambdaFunctionResourcePolicy**
Branches on whether there are AWS Lambda functions in event notifications.
+ **ValidateLambdaFunctionResourcePolicy**
Validates resource policy on AWS Lambda function has `lambda:InvokeFunction` permission for Amazon S3.
+ **GenerateReport**
Returns details of the runbook steps outputs, and recommendations to resolve any issue with the event notifications configured with the Amazon S3 bucket.
1. After completed, review the Outputs section for the detailed results of the execution:
+ **Amazon SQS Event Notifications**
If there are Amazon SQS destination notifications configured with the Amazon S3 bucket, a list of the Amazon SQS Queues is displayed alongside the results of the checks. The report includes Amazon SQS resource check, Amazon SQS access policy check, AWS KMS key check, AWS KMS key status check, and AWS KMS key policy check.
+ **Amazon SNS Event Notifications**
If there are Amazon SNS destination notifications configured with the Amazon S3 bucket, a list of the Amazon SNS Topics is displayed alongside the results of the checks. The report includes Amazon SNS resource check, Amazon SNS access policy check, AWS KMS key check, AWS KMS key status check, and AWS KMS key policy check.
+ **AWS Lambda Event Notifications**
If there are AWS Lambda destination notifications configured with the Amazon S3 bucket, a list of the Lambda functions is displayed alongside the results of the checks. The report includes Lambda resource check and Lambda access policy check.
![\[AWSSupport-TroubleshootS3EventNotification runbook sample execution output.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-s3-event-notifications_outputs.png)
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootS3EventNotifications/description)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/)
# `AWSSupport-ContainS3Resource`
**Description**
The `AWSSupport-ContainS3Resource` runbook provides an automated solution for the procedure outlined in the article [Support Automation Workflow (SAW) Runbook: Contain a compromised AWS Amazon S3 Bucket](https://repost.aws/articles/ARhGc0hDqKRIKAVCbmF1GmuQ)
**Important**
This runbook performs various operations that require elevated privileges, such as modifying Amazon S3 bucket policies, tags, and public access configurations. These actions could potentially lead to privilege escalation or impact other workloads that depend on the targeted Amazon S3 bucket. You should review the permissions granted to the role specified by the `AutomationAssumeRole` parameter and ensure they are appropriate for the intended use case. You can refer to the following AWS documentation for more information on IAM permissions: [https://docs.aws.amazon.com//IAM/latest/UserGuide/access_controlling.html](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_controlling.html) [https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup-iam.html](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup-iam.html).
This runbook performs mutative actions that could potentially cause unavailability or disruption to your workloads. Specifically, the `Contain` action blocks all access to the specified Amazon S3 bucket, except for the roles specified in the `SecureRoles` parameter. This could impact any applications or services that rely on the targeted Amazon S3 bucket.
During the `Contain` action, this runbook may create an additional Amazon S3 bucket (specified by the `BackupS3BucketName` parameter) to store the backup of the original bucket's configuration, if it does not already exist.
If the `Action` parameter is set to `Restore`, this runbook attempts to restore the Amazon S3 bucket's configuration to its original state based on the backup stored in the `BackupS3BucketName` bucket. However, there is a risk that the restoration process may fail, leaving the Amazon S3 bucket in an inconsistent state. The runbook provides instructions for manual restoration in case of such failures, but you should be prepared to handle potential issues during the restoration process.
It is recommended to review the runbook thoroughly, understand its potential impacts, and test it in a non-production environment before executing it in your production environment.
**How does it work?**
This runbook operates differently based on the resource type and action:
+ For Amazon S3 General Purpose Bucket `Containment`: The automation blocks public access to the bucket, disables ACL configuration, enforces Bucket Owner Object ownership, and puts a restrictive bucket policy denying all Amazon S3 actions to the bucket except for allow listed IAM Roles.
+ For Amazon S3 General Purpose Object `Containment`: The automation blocks Public Access to bucket, disables ACL configuration, enforces Bucket Owner Object ownership, and puts a restrictive bucket policy denying all Amazon S3 actions on the object except for allow listed IAM Roles.
+ For Amazon S3 Directory Bucket `Containment`: The automation puts a restrictive bucket policy denying all Amazon S3 actions to the bucket except for allow listed IAM Roles.
+ For Amazon S3 General Purpose Bucket `Restore`: The automation restores the Block Public Access configuration, Bucket ACL configuration, Bucket Owner Object ownership and Bucket Policy to the initial configuration prior to containment.
+ For Amazon S3 General Purpose Object `Restore`: The automation restores the Block Public Access configuration, Bucket ACL configuration, Object ACL Configuration, Bucket Owner Object ownership and Bucket Policy to the initial configuration prior to containment.
+ For Amazon S3 Directory Bucket `Restore`: The automation restores the bucket policy to the initial configuration prior to containment.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-ContainS3Resource)
**Document Type**
Automation
**Owner**
Amazon
**Platform**
/
**Required IAM Permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ s3:CreateBucket
+ s3:DeleteBucketPolicy
+ s3:DeleteObjectTagging
+ s3:GetAccountPublicAccessBlock
+ s3:GetBucketAcl
+ s3:GetBucketLocation
+ s3:GetBucketOwnershipControls
+ s3:GetBucketPolicy
+ s3:GetBucketPolicyStatus
+ s3:GetBucketTagging
+ s3:GetEncryptionConfiguration
+ s3:GetObject
+ s3:GetObjectAcl
+ s3:GetObjectTagging
+ s3:GetReplicationConfiguration
+ s3:ListBucket
+ s3:PutAccountPublicAccessBlock
+ s3:PutBucketACL
+ s3:PutBucketOwnershipControls
+ s3:PutBucketPolicy
+ s3:PutBucketPublicAccessBlock
+ s3:PutBucketTagging
+ s3:PutBucketVersioning
+ s3:PutObject
+ s3:PutObjectAcl
+ s3express:CreateSession
+ s3express:DeleteBucketPolicy
+ s3express:GetBucketPolicy
+ s3express:PutBucketPolicy
+ ssm:DescribeAutomationExecutions
Here is an example of an IAM policy that grants the necessary permissions for the `AutomationAssumeRole`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObjectTagging",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketTagging",
"s3:GetEncryptionConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketACL",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "*"
},
{
"Sid": "S3ExpressPermissions",
"Effect": "Allow",
"Action": [
"s3express:CreateSession",
"s3express:DeleteBucketPolicy",
"s3express:GetBucketPolicy",
"s3express:PutBucketPolicy"
],
"Resource": "*"
},
{
"Sid": "SSMPermissions",
"Effect": "Allow",
"Action": [
"ssm:DescribeAutomationExecutions"
],
"Resource": "*"
}
]
}
```
------
**Instructions**
Follow these steps to configure the automation:
1. Navigate to [https://console.aws.amazon.com/systems-manager/documents/AWSSupport-ContainS3Resource/description](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-ContainS3Resource/description) in Systems Manager under Documents.
1. Select Execute automation.
1. For the input parameters, enter the following:
+ **BucketName (Required):**
+ Description: (Required) The name of the Amazon S3 bucket.
+ Type: `AWS::S3::Bucket::Name`
+ **Action (Required):**
+ Description: (Required) Select `Contain` to isolate the Amazon S3 resource or `Restore` to try to restore the resource configuration to its original state from a previous backup.
+ Type: String
+ Allowed Values: `Contain|Restore`
+ **DryRun (Optional):**
+ Description: (Optional) When set to true, the automation will not make any changes to the target Amazon S3 resource, instead it will output what it would have attempted to change. Default value: true.
+ Type: Boolean
+ Allowed Values: `true|false`
+ **BucketKeyName (Optional):**
+ Description: (Optional) The key of the Amazon S3 object you want to contain or restore. Used during object level containment.
+ Type: String
+ Allowed Pattern: `^[a-zA-Z0-9\\.\\-_\\\\!*'()/]{0,1024}$`
+ **BucketRestrictAccess (Conditional):**
+ Description: (Conditional) The ARN of the IAM users or roles that will be allowed access to the target Amazon S3 resource after running the containment actions. This parameter is required when `Action` is set to `Contain`.
+ Type: StringList
+ Allowed Pattern: `^$|^arn:(aws|aws-cn|aws-us-gov|aws-iso(-[a-z])?):iam::[0-9]{12}:(role|user)\\/[\\w+\\/=,.@-]+$`
+ **TagIdentifier (Optional):**
+ Description: (Optional) A tag in the format Key=BatchId,Value=78925 that will be added to the resources created or modified by this runbook during the containment workflow.
+ Type: String
+ Allowed Pattern: `^$|^[Kk][Ee][Yy]=[\\+\\-\\=\\.\\_\\:\\/@a-zA-Z0-9]{1,128},[Vv][Aa][Ll][Uu][Ee]=[\\+\\-\\=\\.\\_\\:\\/@a-zA-Z0-9]{0,128}$`
+ **BackupS3BucketName (Conditional):**
+ Description: (Conditional) The Amazon S3 bucket to backup the target resource configuration when the `Action` is set to `Contain` or to restore the configuration from when the `Action` is set to `Restore`.
+ Type: `AWS::S3::Bucket::Name`
+ **BackupS3KeyName (Conditional):**
+ Description: (Conditional) If `Action` is set to `Restore`, this specifies the Amazon S3 key the automation will use to try to restore the target resource configuration.
+ Type: String
+ Allowed Pattern: `^[a-zA-Z0-9\\.\\-_\\\\!*'()/]{0,1024}$`
+ **BackupS3BucketAccess (Conditional):**
+ Description: (Conditional) The ARN of the IAM users or roles that will be allowed access to the backup Amazon S3 bucket after running the containment actions. This parameter is required when `Action` is `Contain`.
+ Type: StringList
+ Allowed Pattern: `^$|^arn:(aws|aws-cn|aws-us-gov|aws-iso(-[a-z])?):iam::[0-9]{12}:(role|user)\\/[\\w+\\/=,.@-]+$`
+ **AutomationAssumeRole (Optional):**
+ Description: (Optional) The Amazon Resource Name (ARN) of the IAM role that allows Systems Manager Automation to perform the actions on your behalf.
+ Type: `AWS::IAM::Role::Arn`
1. Select Execute.
1. The automation initiates.
1. The document performs the following steps:
+ **validateRequiredInputs**
Validates the required automation input parameters based on the Action specified.
+ **assertBucketExists**
Checks if the target Amazon S3 bucket exists and is accessible.
+ **backupBucketPreChecks**
Checks if the backup Amazon S3 bucket potentially grants public read or write access to its objects.
+ **backupTargetBucketMetadata**
Describes the current configuration of the target Amazon S3 bucket and uploads the backup to the specified backup Amazon S3 bucket.
+ **containBucket**
Performs bucket level operations to contain the target Amazon S3 bucket.
+ **BranchOnActionAndMode**
Branches the automation based on the input parameters Action and DryRun.
+ **RestoreInstanceConfiguration**
Restores the Amazon S3 bucket configuration from the backup.
+ **containFinalOutput**
Consolidates containment activity in readable format.
+ **ReportContain**
Outputs dry run details for the containment actions.
+ **ReportRestore**
Outputs dry run details for the restoring actions.
+ **ReportRestoreFailure**
Provides instructions to restore the Amazon S3 bucket original configuration during a restore workflow failure scenario.
+ **ReportContainmentFailure**
Provides instructions to restore the Amazon S3 bucket original configuration during a containment workflow failure scenario.
+ **FinalOutput**
Outputs the details of the containment actions.
1. After the execution completes, review the Outputs section for the detailed results of the execution:
+ **ContainFinalOutput.Output**
Outputs the details of the containment actions performed by this runbook when `DryRun` is set to False.
+ **RestoreFinalOutput.Output**
Outputs the details of the restore actions performed by this runbook when `DryRun` is set to False.
+ **ContainS3ResourceDryRun.Output**
Outputs the details of the containment actions performed by this runbook when `DryRun` is set to True.
+ **RestoreS3ResourceDryRun.Output**
Outputs the details of the restore actions performed by this runbook when `DryRun` is set to True.
+ **ReportContainmentFailure.Output**
Provides instructions to restore the target Amazon S3 resource original configuration during a containment workflow failure scenario.
+ **ReportRestoreFailure.Output**
Provides instructions to restore the target Amazon S3 resource original configuration during a restore workflow failure scenario.
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-ContainS3Resource/description)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows](https://aws.amazon.com/premiumsupport/technology/saw/)