docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.89
Public Scan
Submitted URL: https://docs.aws.amazon.com/console/securityhub/S3.3/remediation
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html
Submission: On September 21 via api from IN — Scanned from DE
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html
Submission: On September 21 via api from IN — Scanned from DE
Form analysis
0 forms found in the DOMText Content
SELECT YOUR COOKIE PREFERENCES We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can click “Customize cookies” to decline performance cookies. If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To continue without accepting these cookies, click “Continue without accepting.” To make more detailed choices or learn more, click “Customize cookies.” Accept all cookiesContinue without acceptingCustomize cookies CUSTOMIZE COOKIE PREFERENCES We use cookies and similar tools (collectively, "cookies") for the following purposes. ESSENTIAL Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms. PERFORMANCE Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes. Allow performance category Allowed FUNCTIONAL Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly. Allow functional category Allowed ADVERTISING Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising. Allow advertising category Allowed Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by clicking Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice. CancelSave preferences UNABLE TO SAVE COOKIE PREFERENCES We will only store essential cookies at this time, because we were unable to save your cookie preferences. If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists. Dismiss Contact Us English Create an AWS Account 1. AWS 2. ... 3. Documentation 4. AWS Security Hub 5. User Guide Feedback Preferences AWS SECURITY HUB USER GUIDE * What is AWS Security Hub? * Terminology and concepts * Prerequisites and recommendations * Using Organizations * Enabling AWS Config * Setting up Security Hub * Enabling Security Hub manually * Managing accounts * Effects of an administrator-member relationship * Restrictions and recommendations * Making the transition to Organizations * Allowed actions for accounts * Designating a Security Hub administrator account * Managing organization member accounts * Enabling new accounts automatically * Enabling member accounts * Disassociating member accounts * Managing member accounts by invitation * Adding and inviting member accounts * Responding to an invitation * Disassociating member accounts * Deleting member accounts * Disassociating from your administrator account * Effect of account actions on Security Hub data * Cross-Region aggregation * How cross-Region aggregation works * Viewing the current configuration * Enabling cross-Region aggregation * Updating the configuration * Stopping cross-Region aggregation * Findings * Creating and updating findings * Using BatchImportFindings * Using BatchUpdateFindings * Viewing a cross-Region finding summary * Viewing finding lists and details * Filtering and grouping findings (console) * Viewing finding details * Taking action on findings * Setting the workflow status of findings * Sending findings to a custom action * Finding format * ASFF syntax * Consolidation and ASFF * ASFF examples * Required attributes * Optional top-level attributes * Resources * Resource attributes * AwsAmazonMQ * AwsApiGateway * AwsAppSync * AwsAthena * AwsAutoScaling * AwsBackup * AwsCertificateManager * AwsCloudFormation * AwsCloudFront * AwsCloudTrail * AwsCloudWatch * AwsCodeBuild * AwsDynamoDB * AwsEc2 * AwsEcr * AwsEcs * AwsEfs * AwsEks * AwsElasticBeanstalk * AwsElasticSearch * AwsElb * AwsEventBridge * AwsGuardDuty * AwsIam * AwsKinesis * AwsKms * AwsLambda * AwsNetworkFirewall * AwsOpenSearchService * AwsRds * AwsRedshift * AwsS3 * AwsSageMaker * AwsSecretsManager * AwsSns * AwsSqs * AwsSsm * AwsStepFunctions * AwsWaf * AwsXray * Container * Other * Insights * Viewing and filtering the list of insights * Viewing insight results and findings * Managed insights * Custom insights * Automations * Automation rules * Automated response and remediation * Types of EventBridge integration * EventBridge event formats * Configuring a rule for automatically sent findings * Configuring and using custom actions * Product integrations * Managing product integrations * AWS service integrations * Third-party product integrations * Using custom product integrations * Standards and controls * IAM permissions for standards and controls * Security checks and scores * AWS Config rules and security checks * Required AWS Config resources for control findings * Schedule for running security checks * Generating and updating control findings * Determining the control status * Determining security scores * Standards reference * AWS FSBP * CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 * NIST SP 800-53 Rev. 5 * PCI DSS * Service-managed standards * Service-Managed Standard: AWS Control Tower * Viewing and managing security standards * Enabling and disabling standards * Viewing details for a standard * Enabling and disabling controls in specific standards * Controls reference * AWS account controls * AWS Certificate Manager controls * API Gateway controls * AWS AppSync controls * Athena controls * CloudFormation controls * CloudFront controls * CloudTrail controls * CloudWatch controls * CodeBuild controls * AWS Config controls * AWS DMS controls * Amazon DocumentDB controls * DynamoDB controls * Amazon ECR controls * Amazon ECS controls * Amazon EC2 controls * Amazon EC2 Auto Scaling controls * Amazon EC2 Systems Manager controls * Amazon EFS controls * Amazon EKS controls * ElastiCache controls * Elastic Beanstalk controls * Elastic Load Balancing controls * Amazon EMR controls * Elasticsearch controls * GuardDuty controls * IAM controls * Kinesis controls * AWS KMS controls * Lambda controls * Neptune controls * Network Firewall controls * OpenSearch Service controls * Amazon RDS controls * Amazon Redshift controls * Amazon S3 controls * SageMaker controls * Secrets Manager controls * Amazon SNS controls * Amazon SQS controls * Step Functions controls * AWS WAF controls * Viewing and managing security controls * Control categories * Enabling and disabling controls in all standards * Enabling new controls in enabled standards automatically * Controls that you might want to disable * Viewing details for a control * Filtering and sorting controls * Viewing and taking action on control findings * Viewing finding and resource details * Sample control findings * Filtering and sorting findings * Taking action on control findings * Creating resources with CloudFormation * Subscribing to Security Hub announcements * Security * Data protection * AWS Identity and Access Management * How AWS Security Hub works with IAM * Using service-linked roles * AWS managed policies * Compliance validation * Infrastructure security * VPC endpoints (AWS PrivateLink) * Logging API calls * Quotas * Regional limits * Disabling Security Hub * Controls change log * Document history Amazon Simple Storage Service controls - AWS Security Hub AWSDocumentationAWS Security HubUser Guide [S3.1] S3 Block Public Access setting should be enabled[S3.2] S3 buckets should prohibit public read access[S3.3] S3 buckets should prohibit public write access[S3.4] S3 buckets should have server-side encryption enabled[S3.5] S3 buckets should require requests to use Secure Socket Layer[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted[S3.7] S3 buckets should have cross-Region replication enabled[S3.8] S3 Block Public Access setting should be enabled at the bucket-level[S3.9] S3 bucket server access logging should be enabled[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured[S3.11] S3 buckets should have event notifications enabled[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets[S3.13] S3 buckets should have lifecycle policies configured[S3.14] S3 buckets should use versioning[S3.15] S3 buckets should be configured to use Object Lock[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys AMAZON SIMPLE STORAGE SERVICE CONTROLS PDFRSS These controls are related to Amazon S3 resources. These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region. [S3.1] S3 BLOCK PUBLIC ACCESS SETTING SHOULD BE ENABLED Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, CIS AWS Foundations Benchmark v1.4.0/2.1.5, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) Category: Protect > Secure network configuration Severity: Medium Resource type: AWS::::Account AWS Config rule: s3-account-level-public-access-blocks-periodic Schedule type: Periodic Parameters: * ignorePublicAcls: true * blockPublicPolicy: true * blockPublicAcls: true * restrictPublicBuckets: true This control checks whether the preceding Amazon S3 public access block settings are configured at the account level. The control fails if one or more of the public access block settings are set to false. The control fails if any of the settings are set to false, or if any of the settings are not configured. Amazon S3 public access block is designed to provide controls across an entire AWS account or at the individual S3 bucket level to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. Unless you intend to have your S3 buckets be publicly accessible, you should configure the account level Amazon S3 Block Public Access feature. To learn more, see Using Amazon S3 Block Public Access in the Amazon Simple Storage Service User Guide. REMEDIATION To enable Amazon S3 Block Public Access for your AWS account, see Configuring block public access settings for your account in the Amazon Simple Storage Service User Guide. [S3.2] S3 BUCKETS SHOULD PROHIBIT PUBLIC READ ACCESS Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) Category: Protect > Secure network configuration Severity: Critical Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-public-read-prohibited Schedule type: Periodic and change triggered Parameters: None This control checks whether your S3 buckets allow public read access. It evaluates the block public access settings, the bucket policy, and the bucket access control list (ACL). The control fails if an Amazon S3 bucket permits public read access. Some use cases may require that everyone on the internet be able to read from your S3 bucket. However, those situations are rare. To ensure the integrity and security of your data, your S3 bucket should not be publicly readable. REMEDIATION To block public read access on your Amazon S3 buckets, see Configuring block public access settings for your S3 buckets in the Amazon Simple Storage Service User Guide. [S3.3] S3 BUCKETS SHOULD PROHIBIT PUBLIC WRITE ACCESS Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) Category: Protect > Secure network configuration Severity: Critical Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-public-write-prohibited Schedule type: Periodic and change triggered Parameters: None This control checks whether your S3 buckets allow public write access. It evaluates the block public access settings, the bucket policy, and the bucket access control list (ACL). The control fails if an Amazon S3 bucket permits public write access. Some use cases require that everyone on the internet be able to write to your S3 bucket. However, those situations are rare. To ensure the integrity and security of your data, your S3 bucket should not be publicly writable. REMEDIATION To block public write access on your Amazon S3 buckets, see Configuring block public access settings for your S3 buckets in the Amazon Simple Storage Service User Guide. [S3.4] S3 BUCKETS SHOULD HAVE SERVER-SIDE ENCRYPTION ENABLED IMPORTANT Security Hub will remove this control in September 2023. For more information, see Change log for Security Hub controls. Related requirements: PCI DSS v3.2.1/3.4, CIS AWS Foundations Benchmark v1.4.0/2.1.1, NIST.800-53.r5 AU-9, NIST.800-53.r5 AU-9(2), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) Category: Protect > Data protection > Encryption of data at rest Severity: Medium Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-server-side-encryption-enabled Schedule type: Change triggered Parameters: None This control checks whether an Amazon S3 bucket either has server-side encryption (SSE-S3, SSE-KMS, or DSSE-KMS) enabled or that the S3 bucket policy explicitly denies PutObject requests without server-side encryption. For an added layer of security for sensitive data in S3 buckets, you should configure your buckets with server-side encryption to protect your data at rest. Amazon S3 encrypts each object in the bucket with a unique key. As an additional safeguard, Amazon S3 encrypts the key itself with a root key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256). Unless you specify otherwise, S3 buckets use Amazon S3 managed keys (SSE-S3) by default for server-side encryption. For added control, such as managing key rotation and access policy grants, you can choose to use server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) or dual-layer server side encryption with AWS KMS keys (DSSE-KMS). REMEDIATION Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. You can elect to use server-side encryption with AWS KMS keys (SSE-KMS), or dual-layer server-side encryption with AWS KMS keys (DSSE-KMS). For instructions on electing one of these options, see Configuring default encryption in the Amazon Simple Storage Service User Guide. [S3.5] S3 BUCKETS SHOULD REQUIRE REQUESTS TO USE SECURE SOCKET LAYER Related requirements: PCI DSS v3.2.1/4.1, CIS AWS Foundations Benchmark v1.4.0/2.1.2, NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6) Category: Protect > Secure access management Severity: Medium Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-ssl-requests-only Schedule type: Change triggered Parameters: None This control checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests (Action: S3:*) to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key aws:SecureTransport. REMEDIATION To update an Amazon S3 bucket policy to deny nonsecure transport, see.Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide. Add a policy statement similar to the one in the following policy. Replace awsexamplebucket with the name of the bucket you're modifying. { "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::awsexamplebucket", "arn:aws:s3:::awsexamplebucket/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] } For more information, see the Knowledge Center article What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?. [S3.6] S3 PERMISSIONS GRANTED TO OTHER AWS ACCOUNTS IN BUCKET POLICIES SHOULD BE RESTRICTED Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 Category: Protect > Secure access management > Sensitive API operations actions restricted Severity: High Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-blacklisted-actions-prohibited Schedule type: Change triggered Parameters: * blacklistedactionpatterns: s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket. The control fails if the S3 bucket policy allows one or more of the preceding actions for a principal in another AWS account. Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The blacklistedactionpatterns parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the blacklistedactionpatterns list. REMEDIATION To update an Amazon S3 bucket policy to remove permissions, see.Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide. On the Edit bucket policy page, in the policy editing text box, take one of the following actions: * Remove the statements that grant other AWS accounts access to denied actions. * Remove the permitted denied actions from the statements. [S3.7] S3 BUCKETS SHOULD HAVE CROSS-REGION REPLICATION ENABLED Related requirements: PCI DSS v3.2.1/2.2, NIST.800-53.r5 AU-9(2), NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-36(2), NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) Category: Protect > Secure access management Severity: Low Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-replication-enabled Schedule type: Change triggered Parameters: None This control checks whether an Amazon S3 bucket has cross-Region replication enabled. The control fails if an S3 bucket doesn't have cross-Region replication enabled. Replication is the automatic, asynchronous copying of objects across buckets in the same or different AWS Regions. Replication copies newly created objects and object updates from a source bucket to a destination bucket or buckets. AWS best practices recommend replication for source and destination buckets that are owned by the same AWS account. In addition to availability, you should consider other systems hardening settings. REMEDIATION To enable Amazon S3 bucket replication, see the Configuring replication for source and destination buckets owned by the same account in the Amazon Simple Storage Service User Guide. For Source bucket, choose Apply to all objects in the bucket. [S3.8] S3 BLOCK PUBLIC ACCESS SETTING SHOULD BE ENABLED AT THE BUCKET-LEVEL Related requirements: CIS AWS Foundations Benchmark v1.4.0/2.1.5, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) Category: Protect > Secure access management > Access control Severity: High Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-level-public-access-prohibited Schedule type: Change triggered Parameters: * excludedPublicBuckets (Optional) – A comma-separated list of known allowed public S3 bucket names This control checks whether S3 buckets have bucket-level public access blocks applied. This control fails is if any of the following settings are set to false: * ignorePublicAcls * blockPublicPolicy * blockPublicAcls * restrictPublicBuckets Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature. REMEDIATION For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide. [S3.9] S3 BUCKET SERVER ACCESS LOGGING SHOULD BE ENABLED Related requirements: NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8) Category: Identify > Logging Severity: Medium Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-logging-enabled Schedule type: Change triggered Parameters: None This control checks whether server access logging is enabled for S3 buckets. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configuration. This control passes if server access logging is enabled. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket. Server access logging provides detailed records of requests made to a bucket. Server access logs can assist in security and access audits. For more information, see Security Best Practices for Amazon S3: Enable Amazon S3 server access logging. REMEDIATION To enable Amazon S3 server access logging, see Enabling Amazon S3 server access logging in the Amazon S3 User Guide. [S3.10] S3 BUCKETS WITH VERSIONING ENABLED SHOULD HAVE LIFECYCLE POLICIES CONFIGURED Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) Category: Identify > Logging Severity: Medium Resource type: AWS::S3::Bucket AWS Config rule: s3-version-lifecycle-policy-check Schedule type: Change triggered Parameters: None This control checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. This rule fails if Amazon S3 lifecycle policy is not enabled. It is recommended to configure lifecycle rules on your Amazon S3 bucket as these rules help you define actions that you want Amazon S3 to take during an object's lifetime. REMEDIATION For more information on configuring lifecycle on an Amazon S3 bucket, see Setting lifecycle configuration on a bucket and Managing your storage lifecycle. [S3.11] S3 BUCKETS SHOULD HAVE EVENT NOTIFICATIONS ENABLED Related requirements: NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(4) Category: Identify > Logging Severity: Medium Resource type: AWS::S3::Bucket AWS Config rule: s3-event-notifications-enabled Schedule type: Change triggered Parameters: None This control checks whether S3 Event Notifications are enabled on an Amazon S3 bucket. This control fails if S3 Event Notifications are not enabled on a bucket. By enabling Event Notifications, you receive alerts on your Amazon S3 buckets when specific events occur. For example, you can be notified of object creation, object removal, and object restoration. These notifications can alert relevant teams to accidental or intentional modifications that may lead to unauthorized data access. REMEDIATION For information about detecting changes to S3 buckets and objects, see Amazon S3 Event Notifications in the Amazon S3 User Guide. [S3.12] S3 ACCESS CONTROL LISTS (ACLS) SHOULD NOT BE USED TO MANAGE USER ACCESS TO BUCKETS Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6 Category: Protect > Secure access management > Access control Severity: Medium Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-acl-prohibited Schedule type: Change triggered Parameters: None This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets. ACLs are legacy access control mechanisms that predate IAM. Instead of ACLs, we recommend using IAM policies or S3 bucket policies to more easily manage access to your S3 buckets. REMEDIATION To pass this control, you should disable ACLs for your S3 buckets. For instructions, see Controlling ownership of objects and disabling ACLs for your bucket in the Amazon Simple Storage Service User Guide. To create an S3 bucket policy, see Adding a bucket policy by using the Amazon S3 console. To create an IAM user policy on an S3 bucket, see Controlling access to a bucket with user policies. [S3.13] S3 BUCKETS SHOULD HAVE LIFECYCLE POLICIES CONFIGURED Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) Category: Protect > Data protection Severity: Low Resource type: AWS::S3::Bucket AWS Config rule: s3-lifecycle-policy-check Schedule type: Change triggered Parameters: None This control checks if a lifecycle policy is configured for an Amazon S3 bucket. This control fails if a lifecycle policy is not configured for an S3 bucket. Configuring lifecycle rules on your S3 bucket defines actions that you want S3 to take during an object's lifetime. For example, you can transition objects to another storage class, archive them, or delete them after a specified period of time. REMEDIATION For information about configuring lifecycle policies on an Amazon S3 bucket, see Setting lifecycle configuration on a bucket and see Managing your storage lifecycle in the Amazon S3 User Guide. [S3.14] S3 BUCKETS SHOULD USE VERSIONING Category: Protect > Data protection > Data deletion protection Related requirements: NIST.800-53.r5 AU-9(2), NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5) Severity: Low Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-versioning-enabled Schedule type: Change triggered Parameters: None This control checks if your Amazon S3 buckets use versioning. The control fails if versioning is suspended for an S3 bucket. Versioning keeps multiple variants of an object in the same S3 bucket. You can use versioning to preserve, retrieve, and restore earlier versions of an object stored in your S3 bucket. Versioning helps you recover from both unintended user actions and application failures. TIP As the number of objects increases in a bucket because of versioning, you can set up lifecycle policies to automatically archive or delete versioned objects based on rules. For more information, see Amazon S3 Lifecycle Management for Versioned Objects. REMEDIATION To use versioning on an S3 bucket, see Enabling versioning on buckets in the Amazon S3 User Guide. [S3.15] S3 BUCKETS SHOULD BE CONFIGURED TO USE OBJECT LOCK Category: Protect > Data protection > Data deletion protection Related requirements: NIST.800-53.r5 CP-6(2) Severity: Medium Resource type: AWS::S3::Bucket AWS Config rule: s3-bucket-default-lock-enabled Schedule type: Change triggered Parameters: None This control checks if an Amazon S3 bucket has been configured to use Object Lock. The control fails if the S3 bucket isn't configured to use Object Lock. You can use S3 Object Lock to store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects in S3 buckets from being deleted or overwritten for a fixed amount of time or indefinitely. You can use S3 Object Lock to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion. REMEDIATION To configure Object Lock for a new S3 bucket, see Using S3 Object-Lock in the Amazon S3 User Guide. After creating a bucket, you can't change its Object Lock configuration. To configure Object Lock for an existing bucket, contact AWS Support. [S3.17] S3 BUCKETS SHOULD BE ENCRYPTED AT REST WITH AWS KMS KEYS Category: Protect > Data protection > Encryption of data at rest Related requirements: NIST.800-53.r5 SC-12(2), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 SI-7(6), NIST.800-53.r5 AU-9 Severity: Medium Resource type: AWS::S3::Bucket AWS Config rule: s3-default-encryption-kms Schedule type: Change triggered Parameters: None This control checks if an Amazon S3 bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if an S3 bucket is encrypted with default encryption (SSE-S3). Server-side encryption (SSE) is the encryption of data at its destination by the application or service that receives it. Unless you specify otherwise, S3 buckets use Amazon S3 managed keys (SSE-S3) by default for server-side encryption. However, for added control, you can choose to configure buckets to use server-side encryption with AWS KMS keys (SSE-KMS or DSSE-KMS) instead. Amazon S3 encrypts your data at the object level as it writes it to disks in AWS data centers and decrypts it for you when you access it. REMEDIATION To encrypt an S3 bucket using SSE-KMS, see Specifying server-side encryption with AWS KMS (SSE-KMS) in the Amazon S3 User Guide. To encrypt an S3 bucket using DSSE-KMS, see Specifying dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) in the Amazon S3 User Guide. Javascript is disabled or is unavailable in your browser. To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. Document Conventions Amazon Redshift controls SageMaker controls Did this page help you? - Yes Thanks for letting us know we're doing a good job! If you've got a moment, please tell us what we did right so we can do more of it. Did this page help you? - No Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. DID THIS PAGE HELP YOU? Yes No Provide feedback NEXT TOPIC: SageMaker controls PREVIOUS TOPIC: Amazon Redshift controls NEED HELP? * Connect with an AWS IQ expert PrivacySite termsCookie preferences © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. ON THIS PAGE * [S3.1] S3 Block Public Access setting should be enabled * [S3.2] S3 buckets should prohibit public read access * [S3.3] S3 buckets should prohibit public write access * [S3.4] S3 buckets should have server-side encryption enabled * [S3.5] S3 buckets should require requests to use Secure Socket Layer * [S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted * [S3.7] S3 buckets should have cross-Region replication enabled * [S3.8] S3 Block Public Access setting should be enabled at the bucket-level * [S3.9] S3 bucket server access logging should be enabled * [S3.10] S3 buckets with versioning enabled should have lifecycle policies configured * [S3.11] S3 buckets should have event notifications enabled * [S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets * [S3.13] S3 buckets should have lifecycle policies configured * [S3.14] S3 buckets should use versioning * [S3.15] S3 buckets should be configured to use Object Lock * [S3.17] S3 buckets should be encrypted at rest with AWS KMS keys DID THIS PAGE HELP YOU? - NO Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Feedback