Bukelatta

S3 Bucket Policies

Manage S3 bucket policies as diffable, reviewable code

Manages
Amazon S3 Bucket Policies
Language
Ruby
Package
bukelatta
CLI
bukelatta
Config file
Policyfile
The bukelatta repository is archived on GitHub with no activity since 2018, so use it for audits and exports but prefer actively maintained tools like Terraform for new work.
Policyfile
bucket "foo-bucket" do
  {"Version"=>"2012-10-17",
   "Id"=>"AWSConsole-AccessLogs-Policy-XXX",
   "Statement"=>
    [{"Sid"=>"AWSConsoleStmt-XXX",
      "Effect"=>"Allow",
      "Principal"=>{"AWS"=>"arn:aws:iam::XXX:root"},
      "Action"=>"s3:PutObject",
      "Resource"=>
       "arn:aws:s3:::foo-bucket/AWSLogs/XXX/*"}]}
end
In short

Bukelatta is a Ruby command-line tool that manages Amazon S3 bucket policies as code. It exports every bucket policy in an account into one file called a Policyfile. You review policy changes in Git, dry-run them, then apply them idempotently.

What is Bukelatta?

Bukelatta is a Ruby command-line tool in the codenize-tools family. It manages S3 bucket policies as code. It exports every policy in an account into one file, then applies your edits back to S3. This is the usual config in version control loop: export, review, dry-run, apply.

Bucket policies are security-critical JSON that usually lives only in the S3 console. That makes them easy to get wrong and hard to audit. One stray wildcard or wrong principal can expose data. Moving them into Git changes that:

  • One file holds every bucket policy in the account.
  • Git history records who changed a policy and when.
  • Reviewable diffs replace silent console edits.

Bukelatta puts the policies where review actually happens. It works well with Miam, which codenizes IAM users, groups, and policies, so your whole access-control story reads in one DSL.

Key facts
  • Manages S3 bucket policies, the resource policies attached to buckets.
  • One export writes every policy in the account to a Policyfile.
  • Policies are Ruby hashes, so shared statements can be reused, not copy-pasted.
  • A dry-run shows which statements change on which buckets; applies are idempotent.
  • The ECR-policy sibling is Repol, for container image repositories.
  • The repo is archived since 2018, so treat it as legacy.
Illustration: Amazon S3 Bucket Policies managed as code with Bukelatta
Getting started

Install and run Bukelatta

1

Install

Install the bukelatta gem (Ruby required).

$ gem install bukelatta
2

Export current state

Pull the live S3 Bucket Policies configuration into a Policyfile.

$ bukelatta -e -o Policyfile
3

Dry-run, then apply

Preview the diff, then apply the change for real.

$ bukelatta -a --dry-run

Bukelatta runs the export, review, apply loop. Run it once in export mode (the -e flag), or add --split for per-bucket files, and commit the result. That commit is your auditable baseline of every bucket policy.

Policy changes are then ordinary pull requests. Edit the Policyfile, run the apply with --dry-run, and paste the diff into the review so approvers see exactly which statements change on which buckets. After approval, apply for real; the apply is idempotent, so re-runs are safe. Since bucket policies attract well-meaning console edits, a scheduled dry-run acts as drift detection: any policy changed outside the file shows up as a diff to investigate.

Pro tip

After each export, grep the Policyfile for wildcard principals and s3:* actions. It turns an account-wide access audit into a few seconds of text search.

Capabilities

What Bukelatta can do

Whole-account policy export

Export mode walks every bucket and writes its policy into one DSL file. You get a complete access-policy inventory from a single command.

Policies as Ruby data, not console JSON

Each bucket block returns the policy as a Ruby hash. You can use variables, helpers, and requires to share common statements instead of copy-pasting JSON.

Dry-run diffs for security review

The dry-run shows which statements would be added, changed, or removed on which buckets. That is the evidence a reviewer needs before approving.

Idempotent apply

Applying an unchanged Policyfile does nothing. Bukelatta only calls the S3 API for buckets whose declared policy differs from the live one.

Targeted runs and split files

The --target regex restricts a run to matching bucket names. The --split option writes one file per bucket to keep reviews focused.

Concurrent API requests

The --request-concurrency option runs S3 calls in parallel. Exports and applies stay fast even in accounts with hundreds of buckets.

Bucket policies: by hand vs with Bukelatta
TaskIn the S3 consoleWith Bukelatta
See every policyOpen each bucket one by oneOne export to a Policyfile
Review a changeNo diff, no approval stepDiff in a pull request
HistoryNoneFull Git history
Repeat safelyManual and error-proneIdempotent apply
Spot driftNot possibleScheduled dry-run
In practice

When teams reach for Bukelatta

Audit bucket access across an account

One export gives you a greppable file of every bucket policy. Searching for wildcard principals or unknown account IDs takes seconds, not a click-through of each bucket's permissions tab.

Enforce review on risky changes

Opening a bucket to another account or a CDN origin deserves a second pair of eyes. With Bukelatta the change is a pull request with a dry-run diff, not a console edit found months later.

Standardize log and cross-account policies

Access-log buckets and cross-account shares often need near-identical policies. Because the DSL is Ruby, a helper can generate the shared statements and apply them to every matching bucket.

FAQ

Bukelatta questions, answered

Does Bukelatta manage the buckets themselves?
No. It manages only bucket policies, the resource-based policy documents attached to buckets. Bucket creation, lifecycle rules, versioning, and ACLs are out of scope, so it composes cleanly with whatever provisions your buckets.
What does the Policyfile look like?
Each bucket gets a bucket block whose body is the policy document written as a Ruby hash. Because it is plain Ruby, you can pull shared statements into methods or require other files to avoid repetition.
How do I limit which buckets a run touches?
Use --target with a regular expression to restrict the run to matching bucket names. Combined with --split exports, different teams can own the policies of their own buckets in separate files.
Is Bukelatta still maintained?
No. The GitHub repository is archived, with no activity since 2018. It stays a quick way to export and audit policies. For ongoing management of new infrastructure, Terraform's aws_s3_bucket_policy resource is the actively maintained alternative.
Why manage bucket policies as code at all?
Bucket policies control data exposure, and mistakes are a common cause of S3 leaks. Managing them as code gives you history, review, dry-run checks, and drift detection, the same safeguards you already use on application code.