This document is a fictional (but realistic) controls review process for the ACME Payment Platform which is part of the equally fictional ACME Corp. It is designed to show how a controls review document (which could be imported through the Markup Editor Import Process) can be combined with live cloud service data in an attestation workflow.
If you are viewing this document without linking your AWS account it will display realistic mock data from ACME Corp. However, if you login and link your AWS test account it will show a live view of the S3 and CloudTrail data from that account.
Logging in also enables the checkpoints for section attestation. This saves the user's progress in their user profile, which allows them to leave to access other systems and return when they have the evidence they need.
If you would like a demo of this with a live AWS demo environment please drop us an email at support@cloudsandlight.com.
This is the annual controls recertification process for the S3 Data Security Controls (ACME-DSC-S3-001) as applied to the application ACME Payment Platform (ACME-INV: 0076193).
This review is required to be completed annually by the service owner for the stated application.
This document defines the mandatory data security controls and standards for all Amazon S3 storage used within ACME Corporation's AWS environments. It forms part of the ACME Corp Data Security Controls and Standards framework (ACME-DSC-001) and must be applied to all applications that utilise S3 for data storage, transfer, or archival. Compliance with these controls is required for all production workloads and must be reviewed and attested annually by the responsible application owner.
S3 Security Controls
The following controls are mandatory for all Amazon S3 buckets within ACME Corporation AWS accounts. Controls are categorised by domain and each carries a severity classification. Non-compliance with any High severity control must be remediated within 14 days of discovery or an exception must be formally raised with the Cloud Security Team.
For any control breaks which are rated as Critical you should contact the ACME Infosec Helpdesk immediately to notify them of a Critical Control Failure. Failure to do this may result in disciplinary action.
For this review you are required to analyze the live data from your application and compare it with the control requirement. If you believe the evidence shows you are in compliance with the control you must record this for each section.
For any area where you are not in compliance with the control you are required to submit a Remediation Plan in the ACME Corp Service Now Portal within 5 days of this review starting. The remediation plan should have an end date in line with the control severity.
Once the review is completed an immutable copy of both the standards and the live S3 environment for the application "ACME Payment Platform (ACME-INV: 0076193)" together with the service owners attestation of compliance with the standards will be saved in the compliance audit vault. These documents are reviewed frequently and may be made available to external auditors and regulators.
ACME Corp S3 Standards
Document Reference
ACME-DSC-S3-001
Classification
Internal - Restricted
Current Version
15 January 2026
Owner
Cloud Security Team
Revision History
Version
Date
Author
Summary
1.4
15 Jan 2026
M. Fischer
Added GDPR cross-border data transfer controls for EU regions
Reviewed By
Review Date
Change Type
Sections Modified
K. Van der Berg
10 Jan 2026
Minor update
2.4 Replication & Resilience, 2.5 Lifecycle
1.3
02 Aug 2025
M. Fischer
Updated encryption requirements for KMS key rotation policy
Reviewed By
Review Date
Change Type
Sections Modified
S. Johansson
28 Jul 2025
Minor update
2.3 Encryption Standards
1.2
18 Mar 2025
S. Johansson
Annual review — added PII tagging requirement
Reviewed By
Review Date
Change Type
Sections Modified
M. Fischer
12 Mar 2025
Annual review
2.2 Tagging Standards, 2.5 Lifecycle
1.1
22 Sep 2024
M. Fischer
Added S3 Object Lock guidance for compliance buckets
Reviewed By
Review Date
Change Type
Sections Modified
K. Van der Berg
18 Sep 2024
Minor update
2.5 Lifecycle & Retention
1.0
05 Feb 2024
S. Johansson
First published version — approved for production use
Reviewed By
Review Date
Change Type
Sections Modified
M. Fischer, K. Van der Berg
01 Feb 2024
Initial release
All sections
0.9
12 Dec 2023
S. Johansson
Final draft - submitted for approval
Reviewed By
Review Date
Change Type
Sections Modified
Cloud Security Board
08 Dec 2023
Final draft review
All sections
Annual Approval History
Approval Year
Approved By
Date
Version Approved
2025
Dr. H. Brandt, CISO
22 Mar 2025
1.2
Approval Notes
Review Scope
Next Review Due
Status
Approved with new PII tagging requirement. All applications must comply by 30 Jun 2025.
Full annual review
March 2026
[span class="service-discovery-status-running"]
Current
2024
Dr. H. Brandt, CISO
15 Feb 2024
1.0
Approval Notes
Review Scope
Next Review Due
Status
Initial production approval. Replaces interim S3 guidelines (ACME-TMP-S3-2023).
Management System Tags Must be set for Every S3 Bucket
Ref
Control
Severity
Verification
TG-02
All buckets must have a ManagedBy Tag of either terraform or ACME-CodeBuild unless the application is explicitly tagged as a "sandbox" Application with an Environment Tag of "Development"
Critical
Check bucket tags in discovery view
Current S3 Tags for ACME Payments Platform
If you believe the application "ACME Payment Platform" (ACME-INV: 0076193) is in compliance with this control you may record this below. If you believe it is not, or you don't have enough information, you should follow the process at the start of this document based on the control severity.
The application "ACME Payment Platform" is in Compliance with Data Protection Control TG-02
Before proceeding, confirm the following:
I have enough information to attest to compliance, either from this portal or with additional research
All S3 buckets have a ManagedBy tag value present
If the application has an Application tag set to sandbox and an Environment Tag set to development it is excluded from this control.
All other S3 Buckets have a ManagedBy tag set to either terraform or ACME-Codebuild
Data Classification Tags Must be set for Every S3 Bucket
Ref
Control
Severity
Verification
TG-01
All buckets must have a data-classification tag with one of the following values: public, internal, confidential, or highly-confidential.
Critical
Check bucket tags in discovery view
Current S3 Tags for ACME Payments Platform
If you believe the application "ACME Payment Platform (ACME-INV: 0076193)" is in compliance with this control you may record this below. If you believe it is not, or you don't have enough information, you should follow the process at the start of this document based on the control severity.
The application "ACME Payment Platform" is in Compliance with Data Protection Control TG-01
Before proceeding, confirm the following:
I have enough information to attest to compliance, either from this portal or with additional research
All S3 Buckets have a data-classification tag with one of the following values: public , internal , confidential , or highly-confidential
Public Access to S3 Must Be Disabled
Ref
Control
Severity
Verification
AC-01
No S3 bucket shall have public access enabled. The S3 Block Public Access settings must be enabled at both the account level and the individual bucket level.
Critical
Check bucket policy and Block Public Access settings
Current S3 Public Access Configuration for ACME Payments Platform
If you believe the application "ACME Payment Platform (ACME-INV: 0076193)" is in compliance with this control you may record this below. If you believe it is not, or you don't have enough information, you should follow the process at the start of this document based on the control severity.
The application "ACME Payment Platform" is in Compliance with Data Protection Control AC-01
Before proceeding, confirm the following:
I have enough information to attest to compliance, either from this portal or with additional research
All public access to all S3 buckets in scope for this application is blocked.
CloudTrail Logging Must be Enabled for All S3 Buckets
Ref
Control
Severity
Verification
LG-02
CloudTrail data events for S3 must be enabled for all buckets containing restricted or highly-restricted data.
High
Check CloudTrail configuration
Current CloudTrail Logs Configuration for ACME Payments Platform
If you believe the application "ACME Payment Platform (ACME-INV: 0076193) is in compliance with this control you may record this below. If you believe it is not, or you don't have enough information, you should follow the process at the start of this document based on the control severity.
The application "ACME Payment Platform" is in Compliance with Data Protection Control LG-02
Before proceeding, confirm the following:
I have enough information to attest to compliance, either from this portal or with additional research
All CloudTrail Data Events are enabled for buckets containing Restricted or Highly Restricted Data
End of Review
Thank you, you have now reached the end of the annual S3 Security Controls Review for the Application: ACME Payment Platform (ACME-INV: 0076193).
If you were unable to attest to compliance with any of the above controls you must follow the process at the start of this document and either raise a remediation plan or raise a critical incident in the event of non compliance with a critical control. There are no consequences for raising a control break at this stage as long as the correct processes are followed to report and remediate in the appropriate time.
If you have confirmed the applications compliance with all the controls in the scope of this review please check the final checkpoint below. Please note that submitting incorrect information or failing to raise concerns around controls breaks may carry consequences up to and including dismissal. If in doubt raise a Service Now request with the compliance team or Cloud Infosec.
The application "ACME Payment Platform" is in Compliance with the S3 Data Security Controls (ACME-DSC-S3-001)
Before proceeding, confirm the following:
I have enough information to attest to compliance, either from this portal or with additional research
All my answers are correct based on the information I have been presented with or through additional research.
I understand my responsibilities in providing accurate information and the processes for reporting any gaps in control implementation
Once you have selected every checkpoint an immutable copy of this document and your application's S3 and CloudTrails configuration at this point in time will be saved to an immutable object store and digitally signed to prevent modification. It will be reviewed and may be requested by external auditors or regulators as evidence for controls implementation.
