Bukelatta
S3 Bucket PoliciesManage S3 bucket policies as diffable, reviewable code
- Manages
- Amazon S3 Bucket Policies
- Language
- Ruby
- Package
- bukelatta
- CLI
- bukelatta
- Config file
- Policyfile
bucket "foo-bucket" do
{"Version"=>"2012-10-17",
"Id"=>"AWSConsole-AccessLogs-Policy-XXX",
"Statement"=>
[{"Sid"=>"AWSConsoleStmt-XXX",
"Effect"=>"Allow",
"Principal"=>{"AWS"=>"arn:aws:iam::XXX:root"},
"Action"=>"s3:PutObject",
"Resource"=>
"arn:aws:s3:::foo-bucket/AWSLogs/XXX/*"}]}
end
Bukelatta is a Ruby command-line tool that manages Amazon S3 bucket policies as code. It exports every bucket policy in an account into one file called a Policyfile. You review policy changes in Git, dry-run them, then apply them idempotently.
What is Bukelatta?
Bukelatta is a Ruby command-line tool in the codenize-tools family. It manages S3 bucket policies as code. It exports every policy in an account into one file, then applies your edits back to S3. This is the usual config in version control loop: export, review, dry-run, apply.
Bucket policies are security-critical JSON that usually lives only in the S3 console. That makes them easy to get wrong and hard to audit. One stray wildcard or wrong principal can expose data. Moving them into Git changes that:
- One file holds every bucket policy in the account.
- Git history records who changed a policy and when.
- Reviewable diffs replace silent console edits.
Bukelatta puts the policies where review actually happens. It works well with Miam, which codenizes IAM users, groups, and policies, so your whole access-control story reads in one DSL.
- Manages S3 bucket policies, the resource policies attached to buckets.
- One export writes every policy in the account to a Policyfile.
- Policies are Ruby hashes, so shared statements can be reused, not copy-pasted.
- A dry-run shows which statements change on which buckets; applies are idempotent.
- The ECR-policy sibling is Repol, for container image repositories.
- The repo is archived since 2018, so treat it as legacy.
Install and run Bukelatta
Install
Install the bukelatta gem (Ruby required).
$ gem install bukelattaExport current state
Pull the live S3 Bucket Policies configuration into a Policyfile.
$ bukelatta -e -o PolicyfileDry-run, then apply
Preview the diff, then apply the change for real.
$ bukelatta -a --dry-runBukelatta runs the export, review, apply loop. Run it once in export mode (the -e flag), or add --split for per-bucket files, and commit the result. That commit is your auditable baseline of every bucket policy.
Policy changes are then ordinary pull requests. Edit the Policyfile, run the apply with --dry-run, and paste the diff into the review so approvers see exactly which statements change on which buckets. After approval, apply for real; the apply is idempotent, so re-runs are safe. Since bucket policies attract well-meaning console edits, a scheduled dry-run acts as drift detection: any policy changed outside the file shows up as a diff to investigate.
After each export, grep the Policyfile for wildcard principals and s3:* actions. It turns an account-wide access audit into a few seconds of text search.
What Bukelatta can do
Whole-account policy export
Export mode walks every bucket and writes its policy into one DSL file. You get a complete access-policy inventory from a single command.
Policies as Ruby data, not console JSON
Each bucket block returns the policy as a Ruby hash. You can use variables, helpers, and requires to share common statements instead of copy-pasting JSON.
Dry-run diffs for security review
The dry-run shows which statements would be added, changed, or removed on which buckets. That is the evidence a reviewer needs before approving.
Idempotent apply
Applying an unchanged Policyfile does nothing. Bukelatta only calls the S3 API for buckets whose declared policy differs from the live one.
Targeted runs and split files
The --target regex restricts a run to matching bucket names. The --split option writes one file per bucket to keep reviews focused.
Concurrent API requests
The --request-concurrency option runs S3 calls in parallel. Exports and applies stay fast even in accounts with hundreds of buckets.
| Task | In the S3 console | With Bukelatta |
|---|---|---|
| See every policy | Open each bucket one by one | One export to a Policyfile |
| Review a change | No diff, no approval step | Diff in a pull request |
| History | None | Full Git history |
| Repeat safely | Manual and error-prone | Idempotent apply |
| Spot drift | Not possible | Scheduled dry-run |
When teams reach for Bukelatta
Audit bucket access across an account
One export gives you a greppable file of every bucket policy. Searching for wildcard principals or unknown account IDs takes seconds, not a click-through of each bucket's permissions tab.
Enforce review on risky changes
Opening a bucket to another account or a CDN origin deserves a second pair of eyes. With Bukelatta the change is a pull request with a dry-run diff, not a console edit found months later.
Standardize log and cross-account policies
Access-log buckets and cross-account shares often need near-identical policies. Because the DSL is Ruby, a helper can generate the shared statements and apply them to every matching bucket.