S3 Secure Bucket
π¦ Overviewβ
This Terraform module provisions a secure AWS S3 bucket with strong security defaults and compliance-aligned configuration.
Itβs designed for production-grade use cases where encryption, access logging, and strict public access controls are mandatory.
β Key Featuresβ
- Creates a globally unique S3 bucket name with random suffix
- Enables server-side encryption (SSE-S3) by default
- Sets up access logging to a dedicated log bucket
- Blocks all forms of public access
- Tags all resources with environment and contextual metadata
πΌ Use Casesβ
- Secure backend storage for applications and services
- Logging and audit storage for compliance frameworks (e.g., HIPAA, PCI)
- Storing sensitive files with access control boundaries
- Production-ready S3 buckets with hardened security posture
π₯ Input Variablesβ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region to deploy the secure bucket |
| bucket_base_name | string | Base name for the bucket (randomized suffix will be appended) |
| environment | string | Tag to specify the deployment environment (e.g., dev, staging, prod) |
π€ Outputsβ
| Name | Description |
|---|---|
| bucket_name | The full name of the created secure S3 bucket |
| bucket_arn | The ARN of the created secure S3 bucket |
| log_bucket_name | The name of the access log bucket |
| log_bucket_arn | The ARN of the access log bucket |
π Deployment Readinessβ
- β Compatible with Terraform 1.0+
- β Tested with AWS provider 5.x
- π§ͺ Requires IAM permissions for S3 and logging configuration
π οΈ Example Usageβ
module "s3_secure_bucket" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//storage/s3-secure-bucket?ref=v1.0.0"
region = "us-east-1"
bucket_base_name = "archiphire-secure"
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
π§Ή Cleanup Optionsβ
Terraform Destroy (for test environments):
terraform destroy
or
tofu destroy
Manual Deletion (recommended for production):
aws s3 rb s3://"bucket_name" --force
π‘οΈ Notesβ
This is a Level 1 hardened baseline module. Use this for secure-by-default buckets in production and compliance-sensitive environments.
For general-purpose buckets without strict access rules, use the simpler s3-bucket module instead.
π Deployment Package Noticeβ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.