Skip to main content

S3 Bucket Module

Deploy secure, fully-managed AWS S3 buckets with encryption, versioning, logging, and fine-grained access policies.

What You'll Build

  • S3 bucket with versioning and encryption
  • Server-side encryption (SSE-S3 or SSE-KMS)
  • Access logging to separate bucket
  • Bucket policies for access control
  • Optional public access prevention
  • Object lifecycle policies
  • AWS CloudTrail integration

How to Use

module "app_bucket" {
  source = "github.com/nnthanh101/terraform-aws/modules/s3"

  bucket_name = "my-app-data-prod"
  
  # Encryption
  server_side_encryption_algorithm = "AES256" # or "aws:kms"
  kms_master_key_id               = aws_kms_key.s3.arn
  
  # Versioning and lifecycle
  versioning_enabled = true
  
  # Access logging
  logging_enabled = true
  log_bucket      = aws_s3_bucket.logs.id
  log_prefix      = "app-logs/"
  
  # Access control
  block_public_access = true
  
  # Lifecycle rules
  lifecycle_rules = [
    {
      id     = "archive-old-versions"
      filter = {}
      noncurrent_version_transition = {
        days          = 90
        storage_class = "GLACIER"
      }
    }
  ]

  tags = {
    Environment = "prod"
    Backup      = "required"
  }
}

Key Variables

VariableTypePurpose
bucket_namestringGlobally unique S3 bucket name
versioning_enabledboolEnable object versioning
server_side_encryption_algorithmstringAES256 or aws:kms
kms_master_key_idstringKMS key ARN for SSE-KMS
logging_enabledboolEnable access logging
log_bucketstringDestination bucket for logs
block_public_accessboolPrevent public access (recommended)
lifecycle_ruleslist(object)Object expiration and archive rules

Outputs

OutputUse Case
bucket_idS3 URI references in code (s3://bucket-id/key)
bucket_arnBucket policy principals, cross-account grants
bucket_regionMulti-region replication setup

Security Best Practices

  • Encryption: Use SSE-KMS for sensitive data; SSE-S3 for general storage
  • Versioning: Protect against accidental deletion and corruption
  • Access Logging: Audit all bucket access patterns
  • Block Public Access: Always enable unless specific public use case exists
  • Lifecycle: Archive to GLACIER after 90 days to reduce costs
  • MFA Delete: Require MFA for object deletion in versioned buckets

Source Reference

Module: terraform-aws/modules/s3