Terraform S3 bucket risk

Review S3 changes before apply.

S3 bucket changes can affect confidentiality, recovery, audit evidence, and customer data exposure. This page is static guidance; raw Terraform plans stay local in your workstation or CI.

No plan uploadManual review guideSOC 2 evidence

High-risk signals include public access block removal, bucket policy broadening, encryption changes, versioning disablement, lifecycle deletion, and bucket replacement.

Request pilot setup

Review checklist

S3 signals

Public access block or bucket policy changes that broaden access.
Server-side encryption, KMS key, replication, or ownership controls changed.
Versioning, object lock, lifecycle, backup, or retention settings weakened.
Delete/create replacement on a bucket that stores production or customer data.

SOC 2 angle

Evidence to keep

Map S3 changes to CC6 access controls, C1 confidentiality, A1 recovery, and CC8 change management. readtheplan can generate control-mapped evidence locally or in CI after you export Terraform JSON.

Request pilot setup

Placeholder inbox: pilot-contact@example.com.

FAQ

S3 risk questions

Why is Terraform S3 bucket policy risk high?

A bucket policy can expose data, break service access, or bypass expected account boundaries, so it should be reviewed with the exact diff.

Should I email a Terraform plan for review?

No. Keep the raw Terraform plan local and share review notes or generated evidence instead.