Knowledge Base

# S3 Bucket Creation Standards These standards apply to guided S3 bucket creation requests handled by the AgentCore chat workflow. ## Mandatory Controls - Block all public access by default. - Enable versioning for every bucket. - Enable server-side encryption for every bucket. - Use `SSE-S3` by default. - Use `SSE-KMS` when the requester explicitly asks for customer-managed encryption or when the data classification is `restricted`. - Require a meaningful owner or team name. - Require a short business purpose for the bucket. ## Validation Rules - Bucket names must use lowercase letters, numbers, dots, and hyphens only. - Bucket names must be between 3 and 63 characters. - Bucket names must not look like an IPv4 address. - Public access requests should be rejected in the default workflow unless there is a separately approved static website exception. - Versioning must remain enabled. ## Recommended Defaults - Region should be one of the organization-approved regions. - Use tags for `ManagedBy`, `Environment`, `Purpose`, `DataClassification`, and `Owner`. - Prefer `us-east-1` unless the requester provides a compliant region requirement. ## Approval Guidance - If public access is requested, ask the user to correct the request and keep the bucket private. - If `SSE-KMS` is selected, require a valid KMS key id or alias before creation. - Before execution, summarize the final request and require explicit user confirmation. ## Response Format Guidance - Confirm the final bucket name and region. - Return the bucket ARN after successful creation. - In dry-run mode, clearly say the bucket would be created and include the predicted ARN.