Object Storage Rules

This section details the rules relevant to object storages, such as Amazon S3.

Renamed in 0.0.7

This provider used to be called S3 before the 0.0.7 release. This change has been done to support Azure and GCP going forward. The old output behavior can be triggered by passing the --legacy-s3-output flag. The existing rulesets will work through a compatibility patch.

Do not permit an object storage bucket to be public

This rule checks object storage bucket ACLs so that they are not public. The configuration goes like this:

    - some.*regexp
    - some.*regexp  


This option accepts a regular expression to match against the bucket name. If include is specified, only the security groups with the specified name will be considered.


This option lets you exclude certain buckets from checking, similar to include above. The exclude rule takes precedence over include.

scanContents (since 0.0.2)

This is a true/false flag indicating if the contents of the buckets should be scanned for ACL violations. If true all files in the bucket will be checked, which may take a very long time. If false only the bucket ACL will be evaluated.