Home S3 Bucket Policy with CloudWatch Alarm – Securing storage before it leaks

S3 Bucket Policy with CloudWatch Alarm – Securing storage before it leaks


Amazon S3 is a widely appreciated cloud storage service. Not only it stores your data but also able to tackle the stored data in the form of accessibility. You can pay according to storage you are leveraging i.e. frequently accessed or archive data storage. But security is still what concerns most of the users. This can be handled on the ground level by creating and adding policies for your S3 buckets.

What is S3 bucket policy?

Bucket Policy is very similar to the access control list. Both are resource-based AWS Identity and Access Management (IAM) Policies. These services enable the user to grant access permission to other AWS account holder or IAM user. To apply the bucket policy, a user needs to add a policy to their bucket. These policies are only applicable to the bucket and the object present in it, but this permission is applied to the object that is created by the bucket owner.

How to create or add bucket policies?

To add a bucket policy:

  1. Select the bucket in the name list, for which you want to create policy.
  2. Now in permissions, select bucket policy.
  3. In bucket policy editor window, add a new bucket policy or edit an existing policy. Since bucket policy is JSON file. So, make sure the text you enter in the editor should be valid in JSON.
  4. Save your policy.

Why do you need to configure a metric filter and alarm for S3 bucket policy?

By default, your bucket is in private mode; but bucket policy provides you with an additional layer of protection for your bucket. Any unexpected change in your bucket policy can make your data insecure. To protect your bucket policies, you need to configure a trail in CloudTrail which registers every change occurred in your policies. And if you deliver this trail to CloudWatch logs, it will alarm you for every change that happens into the configuration. Hence, you can react immediately.

Ensure your Cloud Storage Security

Centilytics ensures that your CloudWatch alarm triggers every time a bucket policy change is made. Whenever there is an AWS API call to add or edit bucket policy, CloudWatch alarm must notify you. Centilytics plays a crucial role since it checks for the CloudWatch alarm that you need to set up in your AWS account. It then lists down all the accounts in which the alarm is not configured. With our applicable filters, it becomes easier to understand the configuration of the Bucket Policies.

Insight Description:

OK  Ok: CloudTrail has CloudWatch logs groups configured with metric filter, alarm, SNS topic with at least one subscriber.
Warning Warning: For your CloudWatch alarms, either no SNS topic is created or no individual is present in the list of topic subscribers to receive the alerts.
Critical  Critical: Delivery to CloudWatch logs not configured.


Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Account ID

Account Name: Shows the account name corresponding to the user’s account.

Account Name

Region: This column shows the region of your instance where it has been used.


Identifier: Shows you the service with its trail name.


Log Group Name: It represents the name of the group which has permission to use the service.

Log Group Name

Metric Filter Name: Shows you the name that you have given to the metric filter.

Metric Filter Name

Alarm Name: Shows you the name of the alarm which you have assigned.

Alarm Name

SNS Topic Name: SNS refers to the Simple Notification Service group. A group of individuals who receive the alert message.

SNS Topic Name

Custom Severity Description: Shows the severity of your metric filter and its functions custom description.

Custom Severity Discription-Virtual Private Network Alarm

Filters Applicable:

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying the region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For e.g., If a user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources with “environment:production” tag. The user can use the tag value filter only when a tag name has been provided.
Compliance Applying Compliance filter, you can further refine your security and health checks.



Cloud Management