Open menu
-->

Review S3 Buckets with Website Configuration Enabled

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon S3 buckets with website configuration enabled are regularly reviewed for security purposes. Upon enabling this rule on Cloud Conformity dashboard, you must specify one or more S3 buckets that are expected to have website configuration enabled. Once the rule is active, Cloud Conformity engine will scan your AWS account and will return review information for all S3 buckets.

This rule resolution is part of the Cloud Conformity Security Package

To host website on AWS S3 you need to configure a bucket as website by adding the necessary configuration. By regularly reviewing these S3 buckets you make sure that only the desired buckets are accessible from the website endpoint.

Audit

To identify all Amazon S3 buckets with website configuration enabled for review purposes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to examine to access the bucket configuration.

04 Select Properties tab from the S3 dashboard top menu and check the Static website hosting feature status. If the feature current status is Bucket hosting, the selected AWS S3 bucket is configured for website hosting.

05 Now open your Cloud Conformity console, select the conformity rule and compare the name of the S3 bucket verified at the previous step against each name listed within the configuration section of the rule. If the selected bucket name is not listed in the configuration section, the S3 bucket should be reviewed in order to decide whether to disable or not the website hosting feature.

06 Repeat steps no. 3 - 5 to check other S3 buckets, available in your AWS account, for review purposes.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets:

[
    "cloud-conformity-docs",
    "cloud-conformity-data-reports",
    "cloud-conformity-media-library"
]

03 Run get-bucket-website command (OSX/Linux/UNIX) using the name of the S3 bucket returned at the previous step as identifier to retrieve the website configuration associated with the selected bucket:

aws s3api get-bucket-website
	--bucket cloud-conformity-docs

04 The command output should return the requested website configuration details or the S3 NoSuchWebsiteConfiguration error message if the feature is not currently enabled:

{
    "IndexDocument": {
        "Suffix": "index.html"
    }
}

If the get-bucket-website command output returns the website configuration information such as the name of the index document, as shown in the output example above, the selected Amazon S3 bucket is configured for website hosting.

05 Now access your Cloud Conformity console, select the rule and compare the name of the S3 bucket verified earlier against each name listed within the configuration section of the rule. If the selected bucket name is not listed in the configuration section, the S3 bucket should be reviewed in order to decide whether to disable or not the website hosting feature.

06 Repeat steps no. 3 - 5 to check other S3 buckets, available in your AWS account, for review purposes.

Remediation / Resolution

When you disable S3 website hosting, Amazon S3 service removes the website configuration from your buckets so that these buckets are no longer accessible from the website endpoint. To disable website hosting for your S3 buckets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Properties tab from the S3 dashboard top menu and click on the Static website hosting feature configuration box.

05 Inside Static website hosting configuration box, select Disable website hosting option then click Save to apply the changes. Once the feature is disabled, the selected AWS S3 bucket contents are no longer accessible from the website endpoint.

06 Repeat steps no. 3 – 5 to disable website hosting for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run delete-bucket-website command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to reconfigure (see Audit section part II to identify the right S3 resource) to remove the website configuration from the selected bucket (the command does not produce an output):

aws s3api delete-bucket-website
	--bucket cloud-conformity-docs

02 Repeat step no. 1 to disable website hosting for other S3 buckets provisioned within your AWS account.

References

Publication date Nov 1, 2017