S3 Bucket Module
Deploy secure, fully-managed AWS S3 buckets with encryption, versioning, logging, and fine-grained access policies.
What You'll Build
- S3 bucket with versioning and encryption
- Server-side encryption (SSE-S3 or SSE-KMS)
- Access logging to separate bucket
- Bucket policies for access control
- Optional public access prevention
- Object lifecycle policies
- AWS CloudTrail integration
How to Use
module "app_bucket" {
source = "github.com/nnthanh101/terraform-aws/modules/s3"
bucket_name = "my-app-data-prod"
# Encryption
server_side_encryption_algorithm = "AES256" # or "aws:kms"
kms_master_key_id = aws_kms_key.s3.arn
# Versioning and lifecycle
versioning_enabled = true
# Access logging
logging_enabled = true
log_bucket = aws_s3_bucket.logs.id
log_prefix = "app-logs/"
# Access control
block_public_access = true
# Lifecycle rules
lifecycle_rules = [
{
id = "archive-old-versions"
filter = {}
noncurrent_version_transition = {
days = 90
storage_class = "GLACIER"
}
}
]
tags = {
Environment = "prod"
Backup = "required"
}
}
Key Variables
| Variable | Type | Purpose |
|---|---|---|
bucket_name | string | Globally unique S3 bucket name |
versioning_enabled | bool | Enable object versioning |
server_side_encryption_algorithm | string | AES256 or aws:kms |
kms_master_key_id | string | KMS key ARN for SSE-KMS |
logging_enabled | bool | Enable access logging |
log_bucket | string | Destination bucket for logs |
block_public_access | bool | Prevent public access (recommended) |
lifecycle_rules | list(object) | Object expiration and archive rules |
Outputs
| Output | Use Case |
|---|---|
bucket_id | S3 URI references in code (s3://bucket-id/key) |
bucket_arn | Bucket policy principals, cross-account grants |
bucket_region | Multi-region replication setup |
Security Best Practices
- Encryption: Use SSE-KMS for sensitive data; SSE-S3 for general storage
- Versioning: Protect against accidental deletion and corruption
- Access Logging: Audit all bucket access patterns
- Block Public Access: Always enable unless specific public use case exists
- Lifecycle: Archive to GLACIER after 90 days to reduce costs
- MFA Delete: Require MFA for object deletion in versioned buckets
Source Reference
Module: terraform-aws/modules/s3