Skip to content


Repository files navigation

Contact Us | Stratusphere FinOps | StratusGrid Home | Blog


GitHub: StratusGrid/terraform-aws-s3-bucket-logging

This Terraform module creates a centralized s3 bucket for logging in the account that can later be configured for centralized logging.

This module configures a bucket with:

  • Server Side Encryption (Not KMS)
  • Requires encrypted transit

Example - Simple

module "s3_bucket_logging" {
  source             = "StratusGrid/s3-bucket-logging/aws"
  version            = "2.0.1"
  name_prefix        = var.name_prefix
  input_tags         = local.common_tags
  versioning_enabled = true #Enabled by default

Example - Remote Logging

module "s3_bucket_logging" {
  source             = "StratusGrid/s3-bucket-logging/aws"
  version            = "2.0.1"
  name_prefix        = var.name_prefix
  input_tags         = local.common_tags
  versioning_enabled = true #Enabled by default

Example - Regional

module "s3_bucket_logging_us_east_2" {
  source      = "StratusGrid/s3-bucket-logging/aws"
  version     = "2.0.1"
  name_prefix = var.name_prefix
  name_suffix = "${local.name_suffix}-us-east-2"
  input_tags  = merge(local.common_tags, {})
  providers = {
    aws =
  versioning_enabled = true #Enabled by default

Example - Regional

Below is an example of the required source IAM policy to coordinate making this work

data "aws_iam_policy_document" "s3_replication" {
  statement {
    sid = "AllowS3SourceReplication"
    actions = [
    resources = [
  statement {
    sid = "AllowS3SourceReplicationMetadata"
    actions = [
    resources = [

  //Destination bucket objects
  statement {
    sid = "AllowS3SourceReplicationObjects"
    actions = [
    resources = [

resource "aws_iam_policy" "s3_role_assumption" {
  name        = "S3-replication-policy"
  description = "Policy to allow S3 role assumption for centralized logging"
  policy      = data.aws_iam_policy_document.s3_replication.json

module "iam_role_s3" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "~> 4"

  trusted_role_services = [""]

  create_role       = true
  role_requires_mfa = false #No MFA since it's a service

  role_name = "${var.name_prefix}-s3-central-replication${local.name_suffix}" #The assuming account matches it based upon name

  custom_role_policy_arns = [

  tags = {
    "Name" = "${var.name_prefix}-s3-central-replication${local.name_suffix}"


Name Version
terraform >= 1.1
aws >= 4.0


Name Type
aws_s3_bucket.bucket resource
aws_s3_bucket_lifecycle_configuration.bucket resource
aws_s3_bucket_policy.bucket_policy_attachment resource
aws_s3_bucket_public_access_block.bucket resource
aws_s3_bucket_replication_configuration.replication resource
aws_s3_bucket_server_side_encryption_configuration.bucket resource
aws_s3_bucket_versioning.resource resource


Name Description Type Default Required
aws_s3_bucket_server_side_encryption_type Selection of the bucket encryption type string "SSE_S3" no
days_to_object_expiration Number of days before expiring data completely string "2557" no
enable_centralized_logging Enable support for centralized logging to a centralized logging account bool false no
enable_object_expiration Number of days before expiring data completely bool false no
iam_role_s3_replication_arn IAM Role that enable S3 Role Assumption for Centralized Logging string "" no
input_tags Map of tags to apply to resources map(string) {} no
logging_account_id Logging Account Number string "" no
name_prefix String to prefix on object names string n/a yes
name_suffix String to append to object names. This is optional, so start with dash if using string "" no
replication_dest_storage_class The storage class to send replicated objects ( string "STANDARD_IA" no
s3_destination_bucket_name Centralized Logging Bucket Name string "" no
transition_expiration Number of days before expiring data completely string "2557" no
transition_glacier Number of days before transitioning data to Glacier string "366" no
transition_ia Number of days before transitioning data to S3 Infrequently Accessed string "180" no
versioning_enabled Enable versioning on the S3 bucket, this is mainly for S3 logging replication bool true no


Name Description
bucket_arn outputs the full arn of the bucket created
bucket_id outputs the id of the bucket created


Note, manual changes to the README will be overwritten when the documentation is updated. To update the documentation, run terraform-docs -c .config/.terraform-docs.yml .


S3 bucket to be used as logging target for other resources







No packages published
