S3

Status: experimental

The S3 plugin automatically discovers and catalogs Amazon S3 buckets across your AWS accounts. It captures comprehensive bucket metadata including security configurations, lifecycle policies, encryption settings, and AWS resource tags.

Prerequisites

AWS Permissions

The plugin requires the following IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "s3:GetBucketEncryption",
        "s3:GetPublicAccessBlock",
        "s3:GetBucketNotification",
        "s3:GetBucketLifecycleConfiguration",
        "s3:GetBucketReplication",
        "s3:GetBucketWebsite",
        "s3:GetBucketLogging",
        "s3:GetBucketAccelerateConfiguration",
        "s3:GetBucketRequestPayment",
        "s3:GetBucketTagging"
      ],
      "Resource": "*"
    }
  ]
}

Minimal Permissions

For basic bucket discovery without detailed configuration:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
      "Resource": "*"
    }
  ]
}

Example Configuration

credentials:
  region: "us-east-1" 
  id: "<aws-secret-id>"
  secret: "<aws-secret-key>"
tags:
  - "s3"

Configuration

The following configuration options are available:

Property	Type	Required	Description
aws	AWSConfig	false
credentials	AWSCredentials	false	AWS credentials configuration
external_links	[]ExternalLink	false
filter	Filter	false	Filter patterns for AWS resources
global_documentation	[]string	false
global_documentation_position	string	false
include_tags	[]string	false	List of AWS tags to include as metadata
merge	MergeConfig	false
metadata	MetadataConfig	false
tags	TagsConfig	false
tags_to_metadata	bool	false	Convert AWS tags to Marmot metadata

Available Metadata

The following metadata fields are available:

Field	Type	Description
accelerate_config	string	Transfer acceleration configuration
bucket_arn	string	The ARN of the S3 bucket
creation_date	string	When the bucket was created
encryption	string	Bucket encryption configuration
lifecycle_config	string	Bucket lifecycle configuration
logging_config	string	Bucket access logging configuration
notification_config	string	Bucket notification configuration
public_access_block	string	Public access block configuration
region	string	The AWS region where the bucket is located
replication_config	string	Bucket replication configuration
request_payment_config	string	Request payment configuration
tags	map[string]string	AWS resource tags
versioning	string	Bucket versioning status
website_config	string	Static website hosting configuration

Prerequisites​

AWS Permissions​

Minimal Permissions​

Example Configuration​

Configuration​

Available Metadata​