s3-bucket-policy-grantee-check - AWS Config



Amazon S3 バケットによって許可されたアクセスが、指定した任意の AWS プリンシパル、フェデレーティッドユーザー、サービスプリンシパル、IP アドレス、または VPC によって制限されていることを確認します。ルールは、バケットポリシーが存在しない場合 COMPLIANT です。

For example, if the input parameter to the rule is the list of two principals: 111122223333 and 444455556666 and the bucket policy specifies that only 111122223333 can access the bucket, then the rule is COMPLIANT. With the same input parameters: If the bucket policy specifies that 111122223333 and 444455556666 can access the bucket, it is also compliant. ただし、バケットポリシーで、999900009999 がバケットにアクセスできると指定している場合、ルールは NON-COMPLIANT です。


If a bucket policy contains more than one statement, each statement in the bucket policy is evaluated against this rule.


Trigger type: 設定変更

AWS Region: All supported AWS regions


awsPrincipals (Optional)
タイプ: CSV

Comma-separated list of principals such as IAM User ARNs, IAM Role ARNs and AWS accounts, for example 'arn:aws:iam::111122223333:user/Alice, arn:aws:iam::444455556666:role/Bob, 123456789012'.

servicePrincipals (Optional)
タイプ: CSV

Comma-separated list of service principals, for example 'cloudtrail.amazonaws.com, lambda.amazonaws.com'.

federatedUsers (Optional)
タイプ: CSV

Comma-separated list of identity providers for web identity federation such as Amazon Cognito and SAML identity providers. For example 'cognito-identity.amazonaws.com, arn:aws:iam::111122223333:saml-provider/my-provider'.

ipAddresses (Optional)
タイプ: CSV

Comma-separated list of CIDR formatted IP addresses, for example ',, 2001:db8::/32'.

vpcIds (Optional)
タイプ: CSV

Comma-separated list of Amazon Virtual Private Clouds (Amazon VPC) IDs, for example 'vpc-1234abc0, vpc-ab1234c0'.

AWS CloudFormation テンプレート

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.