docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.89
Public Scan
Submitted URL: https://docs.aws.amazon.com/console/securityhub/S3.3/remediation
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html
Submission: On September 21 via api from IN — Scanned from DE
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html
Submission: On September 21 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Security Hub
5. User Guide
Feedback
Preferences
AWS SECURITY HUB
USER GUIDE
* What is AWS Security Hub?
* Terminology and concepts
* Prerequisites and recommendations
* Using Organizations
* Enabling AWS Config
* Setting up Security Hub
* Enabling Security Hub manually
* Managing accounts
* Effects of an administrator-member relationship
* Restrictions and recommendations
* Making the transition to Organizations
* Allowed actions for accounts
* Designating a Security Hub administrator account
* Managing organization member accounts
* Enabling new accounts automatically
* Enabling member accounts
* Disassociating member accounts
* Managing member accounts by invitation
* Adding and inviting member accounts
* Responding to an invitation
* Disassociating member accounts
* Deleting member accounts
* Disassociating from your administrator account
* Effect of account actions on Security Hub data
* Cross-Region aggregation
* How cross-Region aggregation works
* Viewing the current configuration
* Enabling cross-Region aggregation
* Updating the configuration
* Stopping cross-Region aggregation
* Findings
* Creating and updating findings
* Using BatchImportFindings
* Using BatchUpdateFindings
* Viewing a cross-Region finding summary
* Viewing finding lists and details
* Filtering and grouping findings (console)
* Viewing finding details
* Taking action on findings
* Setting the workflow status of findings
* Sending findings to a custom action
* Finding format
* ASFF syntax
* Consolidation and ASFF
* ASFF examples
* Required attributes
* Optional top-level attributes
* Resources
* Resource attributes
* AwsAmazonMQ
* AwsApiGateway
* AwsAppSync
* AwsAthena
* AwsAutoScaling
* AwsBackup
* AwsCertificateManager
* AwsCloudFormation
* AwsCloudFront
* AwsCloudTrail
* AwsCloudWatch
* AwsCodeBuild
* AwsDynamoDB
* AwsEc2
* AwsEcr
* AwsEcs
* AwsEfs
* AwsEks
* AwsElasticBeanstalk
* AwsElasticSearch
* AwsElb
* AwsEventBridge
* AwsGuardDuty
* AwsIam
* AwsKinesis
* AwsKms
* AwsLambda
* AwsNetworkFirewall
* AwsOpenSearchService
* AwsRds
* AwsRedshift
* AwsS3
* AwsSageMaker
* AwsSecretsManager
* AwsSns
* AwsSqs
* AwsSsm
* AwsStepFunctions
* AwsWaf
* AwsXray
* Container
* Other
* Insights
* Viewing and filtering the list of insights
* Viewing insight results and findings
* Managed insights
* Custom insights
* Automations
* Automation rules
* Automated response and remediation
* Types of EventBridge integration
* EventBridge event formats
* Configuring a rule for automatically sent findings
* Configuring and using custom actions
* Product integrations
* Managing product integrations
* AWS service integrations
* Third-party product integrations
* Using custom product integrations
* Standards and controls
* IAM permissions for standards and controls
* Security checks and scores
* AWS Config rules and security checks
* Required AWS Config resources for control findings
* Schedule for running security checks
* Generating and updating control findings
* Determining the control status
* Determining security scores
* Standards reference
* AWS FSBP
* CIS AWS Foundations Benchmark v1.2.0 and v1.4.0
* NIST SP 800-53 Rev. 5
* PCI DSS
* Service-managed standards
* Service-Managed Standard: AWS Control Tower
* Viewing and managing security standards
* Enabling and disabling standards
* Viewing details for a standard
* Enabling and disabling controls in specific standards
* Controls reference
* AWS account controls
* AWS Certificate Manager controls
* API Gateway controls
* AWS AppSync controls
* Athena controls
* CloudFormation controls
* CloudFront controls
* CloudTrail controls
* CloudWatch controls
* CodeBuild controls
* AWS Config controls
* AWS DMS controls
* Amazon DocumentDB controls
* DynamoDB controls
* Amazon ECR controls
* Amazon ECS controls
* Amazon EC2 controls
* Amazon EC2 Auto Scaling controls
* Amazon EC2 Systems Manager controls
* Amazon EFS controls
* Amazon EKS controls
* ElastiCache controls
* Elastic Beanstalk controls
* Elastic Load Balancing controls
* Amazon EMR controls
* Elasticsearch controls
* GuardDuty controls
* IAM controls
* Kinesis controls
* AWS KMS controls
* Lambda controls
* Neptune controls
* Network Firewall controls
* OpenSearch Service controls
* Amazon RDS controls
* Amazon Redshift controls
* Amazon S3 controls
* SageMaker controls
* Secrets Manager controls
* Amazon SNS controls
* Amazon SQS controls
* Step Functions controls
* AWS WAF controls
* Viewing and managing security controls
* Control categories
* Enabling and disabling controls in all standards
* Enabling new controls in enabled standards automatically
* Controls that you might want to disable
* Viewing details for a control
* Filtering and sorting controls
* Viewing and taking action on control findings
* Viewing finding and resource details
* Sample control findings
* Filtering and sorting findings
* Taking action on control findings
* Creating resources with CloudFormation
* Subscribing to Security Hub announcements
* Security
* Data protection
* AWS Identity and Access Management
* How AWS Security Hub works with IAM
* Using service-linked roles
* AWS managed policies
* Compliance validation
* Infrastructure security
* VPC endpoints (AWS PrivateLink)
* Logging API calls
* Quotas
* Regional limits
* Disabling Security Hub
* Controls change log
* Document history
Amazon Simple Storage Service controls - AWS Security Hub
AWSDocumentationAWS Security HubUser Guide
[S3.1] S3 Block Public Access setting should be enabled[S3.2] S3 buckets should
prohibit public read access[S3.3] S3 buckets should prohibit public write
access[S3.4] S3 buckets should have server-side encryption enabled[S3.5] S3
buckets should require requests to use Secure Socket Layer[S3.6] S3 permissions
granted to other AWS accounts in bucket policies should be restricted[S3.7] S3
buckets should have cross-Region replication enabled[S3.8] S3 Block Public
Access setting should be enabled at the bucket-level[S3.9] S3 bucket server
access logging should be enabled[S3.10] S3 buckets with versioning enabled
should have lifecycle policies configured[S3.11] S3 buckets should have event
notifications enabled[S3.12] S3 access control lists (ACLs) should not be used
to manage user access to buckets[S3.13] S3 buckets should have lifecycle
policies configured[S3.14] S3 buckets should use versioning[S3.15] S3 buckets
should be configured to use Object Lock[S3.17] S3 buckets should be encrypted at
rest with AWS KMS keys
AMAZON SIMPLE STORAGE SERVICE CONTROLS
PDFRSS
These controls are related to Amazon S3 resources.
These controls may not be available in all AWS Regions. For more information,
see Availability of controls by Region.
[S3.1] S3 BLOCK PUBLIC ACCESS SETTING SHOULD BE ENABLED
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS
v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, CIS AWS Foundations
Benchmark v1.4.0/2.1.5, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3,
NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11),
NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Medium
Resource type: AWS::::Account
AWS Config rule: s3-account-level-public-access-blocks-periodic
Schedule type: Periodic
Parameters:
* ignorePublicAcls: true
* blockPublicPolicy: true
* blockPublicAcls: true
* restrictPublicBuckets: true
This control checks whether the preceding Amazon S3 public access block settings
are configured at the account level. The control fails if one or more of the
public access block settings are set to false.
The control fails if any of the settings are set to false, or if any of the
settings are not configured.
Amazon S3 public access block is designed to provide controls across an entire
AWS account or at the individual S3 bucket level to ensure that objects never
have public access. Public access is granted to buckets and objects through
access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets be publicly accessible, you should
configure the account level Amazon S3 Block Public Access feature.
To learn more, see Using Amazon S3 Block Public Access in the Amazon Simple
Storage Service User Guide.
REMEDIATION
To enable Amazon S3 Block Public Access for your AWS account, see Configuring
block public access settings for your account in the Amazon Simple Storage
Service User Guide.
[S3.2] S3 BUCKETS SHOULD PROHIBIT PUBLIC READ ACCESS
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS
v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21,
NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5
AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11),
NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Critical
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-public-read-prohibited
Schedule type: Periodic and change triggered
Parameters: None
This control checks whether your S3 buckets allow public read access. It
evaluates the block public access settings, the bucket policy, and the bucket
access control list (ACL). The control fails if an Amazon S3 bucket permits
public read access.
Some use cases may require that everyone on the internet be able to read from
your S3 bucket. However, those situations are rare. To ensure the integrity and
security of your data, your S3 bucket should not be publicly readable.
REMEDIATION
To block public read access on your Amazon S3 buckets, see Configuring block
public access settings for your S3 buckets in the Amazon Simple Storage Service
User Guide.
[S3.3] S3 BUCKETS SHOULD PROHIBIT PUBLIC WRITE ACCESS
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS
v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1,
NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7),
NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Critical
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-public-write-prohibited
Schedule type: Periodic and change triggered
Parameters: None
This control checks whether your S3 buckets allow public write access. It
evaluates the block public access settings, the bucket policy, and the bucket
access control list (ACL). The control fails if an Amazon S3 bucket permits
public write access.
Some use cases require that everyone on the internet be able to write to your S3
bucket. However, those situations are rare. To ensure the integrity and security
of your data, your S3 bucket should not be publicly writable.
REMEDIATION
To block public write access on your Amazon S3 buckets, see Configuring block
public access settings for your S3 buckets in the Amazon Simple Storage Service
User Guide.
[S3.4] S3 BUCKETS SHOULD HAVE SERVER-SIDE ENCRYPTION ENABLED
IMPORTANT
Security Hub will remove this control in September 2023. For more information,
see Change log for Security Hub controls.
Related requirements: PCI DSS v3.2.1/3.4, CIS AWS Foundations Benchmark
v1.4.0/2.1.1, NIST.800-53.r5 AU-9, NIST.800-53.r5 AU-9(2), NIST.800-53.r5
AU-9(7), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13,
NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10),
NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-server-side-encryption-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon S3 bucket either has server-side
encryption (SSE-S3, SSE-KMS, or DSSE-KMS) enabled or that the S3 bucket policy
explicitly denies PutObject requests without server-side encryption.
For an added layer of security for sensitive data in S3 buckets, you should
configure your buckets with server-side encryption to protect your data at rest.
Amazon S3 encrypts each object in the bucket with a unique key. As an additional
safeguard, Amazon S3 encrypts the key itself with a root key that it rotates
regularly. Amazon S3 server-side encryption uses one of the strongest block
ciphers available to encrypt your data, 256-bit Advanced Encryption Standard
(AES-256). Unless you specify otherwise, S3 buckets use Amazon S3 managed keys
(SSE-S3) by default for server-side encryption. For added control, such as
managing key rotation and access policy grants, you can choose to use
server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS)
or dual-layer server side encryption with AWS KMS keys (DSSE-KMS).
REMEDIATION
Amazon S3 now applies server-side encryption with Amazon S3 managed keys
(SSE-S3) as the base level of encryption for every bucket in Amazon S3. You can
elect to use server-side encryption with AWS KMS keys (SSE-KMS), or dual-layer
server-side encryption with AWS KMS keys (DSSE-KMS). For instructions on
electing one of these options, see Configuring default encryption in the Amazon
Simple Storage Service User Guide.
[S3.5] S3 BUCKETS SHOULD REQUIRE REQUESTS TO USE SECURE SOCKET LAYER
Related requirements: PCI DSS v3.2.1/4.1, CIS AWS Foundations Benchmark
v1.4.0/2.1.2, NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5
IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23,
NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8,
NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6)
Category: Protect > Secure access management
Severity: Medium
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-ssl-requests-only
Schedule type: Change triggered
Parameters: None
This control checks whether S3 buckets have policies that require requests to
use Secure Socket Layer (SSL).
S3 buckets should have policies that require all requests (Action: S3:*) to only
accept transmission of data over HTTPS in the S3 resource policy, indicated by
the condition key aws:SecureTransport.
REMEDIATION
To update an Amazon S3 bucket policy to deny nonsecure transport, see.Adding a
bucket policy by using the Amazon S3 console in the Amazon Simple Storage
Service User Guide.
Add a policy statement similar to the one in the following policy. Replace
awsexamplebucket with the name of the bucket you're modifying.
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::awsexamplebucket",
"arn:aws:s3:::awsexamplebucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
For more information, see the Knowledge Center article What S3 bucket policy
should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?.
[S3.6] S3 PERMISSIONS GRANTED TO OTHER AWS ACCOUNTS IN BUCKET POLICIES SHOULD BE
RESTRICTED
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2
Category: Protect > Secure access management > Sensitive API operations actions
restricted
Severity: High
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-blacklisted-actions-prohibited
Schedule type: Change triggered
Parameters:
* blacklistedactionpatterns: s3:DeleteBucketPolicy, s3:PutBucketAcl,
s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl
This control checks whether the S3 bucket policy prevents principals from other
AWS accounts from performing denied actions on resources in the S3 bucket. The
control fails if the S3 bucket policy allows one or more of the preceding
actions for a principal in another AWS account.
Implementing least privilege access is fundamental to reducing security risk and
the impact of errors or malicious intent. If an S3 bucket policy allows access
from external accounts, it could result in data exfiltration by an insider
threat or an attacker.
The blacklistedactionpatterns parameter allows for successful evaluation of the
rule for S3 buckets. The parameter grants access to external accounts for action
patterns that are not included in the blacklistedactionpatterns list.
REMEDIATION
To update an Amazon S3 bucket policy to remove permissions, see.Adding a bucket
policy by using the Amazon S3 console in the Amazon Simple Storage Service User
Guide.
On the Edit bucket policy page, in the policy editing text box, take one of the
following actions:
* Remove the statements that grant other AWS accounts access to denied actions.
* Remove the permitted denied actions from the statements.
[S3.7] S3 BUCKETS SHOULD HAVE CROSS-REGION REPLICATION ENABLED
Related requirements: PCI DSS v3.2.1/2.2, NIST.800-53.r5 AU-9(2), NIST.800-53.r5
CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2),
NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-36(2), NIST.800-53.r5 SC-5(2),
NIST.800-53.r5 SI-13(5)
Category: Protect > Secure access management
Severity: Low
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-replication-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon S3 bucket has cross-Region replication
enabled. The control fails if an S3 bucket doesn't have cross-Region replication
enabled.
Replication is the automatic, asynchronous copying of objects across buckets in
the same or different AWS Regions. Replication copies newly created objects and
object updates from a source bucket to a destination bucket or buckets. AWS best
practices recommend replication for source and destination buckets that are
owned by the same AWS account. In addition to availability, you should consider
other systems hardening settings.
REMEDIATION
To enable Amazon S3 bucket replication, see the Configuring replication for
source and destination buckets owned by the same account in the Amazon Simple
Storage Service User Guide. For Source bucket, choose Apply to all objects in
the bucket.
[S3.8] S3 BLOCK PUBLIC ACCESS SETTING SHOULD BE ENABLED AT THE BUCKET-LEVEL
Related requirements: CIS AWS Foundations Benchmark v1.4.0/2.1.5, NIST.800-53.r5
AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4,
NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7,
NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20),
NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4),
NIST.800-53.r5 SC-7(9)
Category: Protect > Secure access management > Access control
Severity: High
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-level-public-access-prohibited
Schedule type: Change triggered
Parameters:
* excludedPublicBuckets (Optional) – A comma-separated list of known allowed
public S3 bucket names
This control checks whether S3 buckets have bucket-level public access blocks
applied. This control fails is if any of the following settings are set to
false:
* ignorePublicAcls
* blockPublicPolicy
* blockPublicAcls
* restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that
objects never have public access. Public access is granted to buckets and
objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should
configure the bucket level Amazon S3 Block Public Access feature.
REMEDIATION
For information on how to remove public access at a bucket level, see Blocking
public access to your Amazon S3 storage in the Amazon S3 User Guide.
[S3.9] S3 BUCKET SERVER ACCESS LOGGING SHOULD BE ENABLED
Related requirements: NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26),
NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12,
NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5
AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8),
NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8)
Category: Identify > Logging
Severity: Medium
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-logging-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether server access logging is enabled for S3 buckets.
When logging is enabled, Amazon S3 delivers access logs for a source bucket to a
chosen target bucket. The target bucket must be in the same AWS Region as the
source bucket and must not have a default retention period configuration. This
control passes if server access logging is enabled. The target logging bucket
does not need to have server access logging enabled, and you should suppress
findings for this bucket.
Server access logging provides detailed records of requests made to a bucket.
Server access logs can assist in security and access audits. For more
information, see Security Best Practices for Amazon S3: Enable Amazon S3 server
access logging.
REMEDIATION
To enable Amazon S3 server access logging, see Enabling Amazon S3 server access
logging in the Amazon S3 User Guide.
[S3.10] S3 BUCKETS WITH VERSIONING ENABLED SHOULD HAVE LIFECYCLE POLICIES
CONFIGURED
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2),
NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Identify > Logging
Severity: Medium
Resource type: AWS::S3::Bucket
AWS Config rule: s3-version-lifecycle-policy-check
Schedule type: Change triggered
Parameters: None
This control checks if Amazon Simple Storage Service (Amazon S3) version enabled
buckets have lifecycle policy configured. This rule fails if Amazon S3 lifecycle
policy is not enabled.
It is recommended to configure lifecycle rules on your Amazon S3 bucket as these
rules help you define actions that you want Amazon S3 to take during an object's
lifetime.
REMEDIATION
For more information on configuring lifecycle on an Amazon S3 bucket, see
Setting lifecycle configuration on a bucket and Managing your storage lifecycle.
[S3.11] S3 BUCKETS SHOULD HAVE EVENT NOTIFICATIONS ENABLED
Related requirements: NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-3(8),
NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(4)
Category: Identify > Logging
Severity: Medium
Resource type: AWS::S3::Bucket
AWS Config rule: s3-event-notifications-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether S3 Event Notifications are enabled on an Amazon S3
bucket. This control fails if S3 Event Notifications are not enabled on a
bucket.
By enabling Event Notifications, you receive alerts on your Amazon S3 buckets
when specific events occur. For example, you can be notified of object creation,
object removal, and object restoration. These notifications can alert relevant
teams to accidental or intentional modifications that may lead to unauthorized
data access.
REMEDIATION
For information about detecting changes to S3 buckets and objects, see Amazon S3
Event Notifications in the Amazon S3 User Guide.
[S3.12] S3 ACCESS CONTROL LISTS (ACLS) SHOULD NOT BE USED TO MANAGE USER ACCESS
TO BUCKETS
Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3,
NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6
Category: Protect > Secure access management > Access control
Severity: Medium
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-acl-prohibited
Schedule type: Change triggered
Parameters: None
This control checks whether Amazon S3 buckets provide user permissions via ACLs.
The control fails if ACLs are configured for managing user access on S3 buckets.
ACLs are legacy access control mechanisms that predate IAM. Instead of ACLs, we
recommend using IAM policies or S3 bucket policies to more easily manage access
to your S3 buckets.
REMEDIATION
To pass this control, you should disable ACLs for your S3 buckets. For
instructions, see Controlling ownership of objects and disabling ACLs for your
bucket in the Amazon Simple Storage Service User Guide.
To create an S3 bucket policy, see Adding a bucket policy by using the Amazon S3
console. To create an IAM user policy on an S3 bucket, see Controlling access to
a bucket with user policies.
[S3.13] S3 BUCKETS SHOULD HAVE LIFECYCLE POLICIES CONFIGURED
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2),
NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Protect > Data protection
Severity: Low
Resource type: AWS::S3::Bucket
AWS Config rule: s3-lifecycle-policy-check
Schedule type: Change triggered
Parameters: None
This control checks if a lifecycle policy is configured for an Amazon S3 bucket.
This control fails if a lifecycle policy is not configured for an S3 bucket.
Configuring lifecycle rules on your S3 bucket defines actions that you want S3
to take during an object's lifetime. For example, you can transition objects to
another storage class, archive them, or delete them after a specified period of
time.
REMEDIATION
For information about configuring lifecycle policies on an Amazon S3 bucket, see
Setting lifecycle configuration on a bucket and see Managing your storage
lifecycle in the Amazon S3 User Guide.
[S3.14] S3 BUCKETS SHOULD USE VERSIONING
Category: Protect > Data protection > Data deletion protection
Related requirements: NIST.800-53.r5 AU-9(2), NIST.800-53.r5 CP-10,
NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2),
NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12,
NIST.800-53.r5 SI-13(5)
Severity: Low
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-versioning-enabled
Schedule type: Change triggered
Parameters: None
This control checks if your Amazon S3 buckets use versioning. The control fails
if versioning is suspended for an S3 bucket.
Versioning keeps multiple variants of an object in the same S3 bucket. You can
use versioning to preserve, retrieve, and restore earlier versions of an object
stored in your S3 bucket. Versioning helps you recover from both unintended user
actions and application failures.
TIP
As the number of objects increases in a bucket because of versioning, you can
set up lifecycle policies to automatically archive or delete versioned objects
based on rules. For more information, see Amazon S3 Lifecycle Management for
Versioned Objects.
REMEDIATION
To use versioning on an S3 bucket, see Enabling versioning on buckets in the
Amazon S3 User Guide.
[S3.15] S3 BUCKETS SHOULD BE CONFIGURED TO USE OBJECT LOCK
Category: Protect > Data protection > Data deletion protection
Related requirements: NIST.800-53.r5 CP-6(2)
Severity: Medium
Resource type: AWS::S3::Bucket
AWS Config rule: s3-bucket-default-lock-enabled
Schedule type: Change triggered
Parameters: None
This control checks if an Amazon S3 bucket has been configured to use Object
Lock. The control fails if the S3 bucket isn't configured to use Object Lock.
You can use S3 Object Lock to store objects using a write-once-read-many (WORM)
model. Object Lock can help prevent objects in S3 buckets from being deleted or
overwritten for a fixed amount of time or indefinitely. You can use S3 Object
Lock to meet regulatory requirements that require WORM storage, or add an extra
layer of protection against object changes and deletion.
REMEDIATION
To configure Object Lock for a new S3 bucket, see Using S3 Object-Lock in the
Amazon S3 User Guide. After creating a bucket, you can't change its Object Lock
configuration. To configure Object Lock for an existing bucket, contact AWS
Support.
[S3.17] S3 BUCKETS SHOULD BE ENCRYPTED AT REST WITH AWS KMS KEYS
Category: Protect > Data protection > Encryption of data at rest
Related requirements: NIST.800-53.r5 SC-12(2), NIST.800-53.r5 CM-3(6),
NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1),
NIST.800-53.r5 SC-7(10), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 SI-7(6),
NIST.800-53.r5 AU-9
Severity: Medium
Resource type: AWS::S3::Bucket
AWS Config rule: s3-default-encryption-kms
Schedule type: Change triggered
Parameters: None
This control checks if an Amazon S3 bucket is encrypted with an AWS KMS key
(SSE-KMS or DSSE-KMS). The control fails if an S3 bucket is encrypted with
default encryption (SSE-S3).
Server-side encryption (SSE) is the encryption of data at its destination by the
application or service that receives it. Unless you specify otherwise, S3
buckets use Amazon S3 managed keys (SSE-S3) by default for server-side
encryption. However, for added control, you can choose to configure buckets to
use server-side encryption with AWS KMS keys (SSE-KMS or DSSE-KMS) instead.
Amazon S3 encrypts your data at the object level as it writes it to disks in AWS
data centers and decrypts it for you when you access it.
REMEDIATION
To encrypt an S3 bucket using SSE-KMS, see Specifying server-side encryption
with AWS KMS (SSE-KMS) in the Amazon S3 User Guide. To encrypt an S3 bucket
using DSSE-KMS, see Specifying dual-layer server-side encryption with AWS KMS
keys (DSSE-KMS) in the Amazon S3 User Guide.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Amazon Redshift controls
SageMaker controls
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
SageMaker controls
PREVIOUS TOPIC:
Amazon Redshift controls
NEED HELP?
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* [S3.1] S3 Block Public Access setting should be enabled
* [S3.2] S3 buckets should prohibit public read access
* [S3.3] S3 buckets should prohibit public write access
* [S3.4] S3 buckets should have server-side encryption enabled
* [S3.5] S3 buckets should require requests to use Secure Socket Layer
* [S3.6] S3 permissions granted to other AWS accounts in bucket policies should
be restricted
* [S3.7] S3 buckets should have cross-Region replication enabled
* [S3.8] S3 Block Public Access setting should be enabled at the bucket-level
* [S3.9] S3 bucket server access logging should be enabled
* [S3.10] S3 buckets with versioning enabled should have lifecycle policies
configured
* [S3.11] S3 buckets should have event notifications enabled
* [S3.12] S3 access control lists (ACLs) should not be used to manage user
access to buckets
* [S3.13] S3 buckets should have lifecycle policies configured
* [S3.14] S3 buckets should use versioning
* [S3.15] S3 buckets should be configured to use Object Lock
* [S3.17] S3 buckets should be encrypted at rest with AWS KMS keys
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback