Open menu

Detect Amazon S3 Configuration Changes

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes performed at the Amazon S3 service and resources level, within your AWS account.

This rule resolution is part of the Cloud Conformity Tool

Amazon S3 or Amazon Simple Storage Service is a global Infrastructure as a Service (IaaS) solution designed to store and retrieve any amount of data (objects) from anywhere on the Internet. S3 is a simple storage service that offers an extremely durable (99.999999999% durability), highly available (99.99% availability) and infinitely scalable data storage infrastructure at very low costs. AWS S3 provides a simple and intuitive web service interface and a powerful API that you can use to upload and download any type and amount of data that you want, read the same piece of data a million times, build simple FTP applications, use it to host static websites or relocate important data during emergency disaster recovery. Amazon S3 helps developers to focus on innovation instead of figuring out where and how to store their data.

Cloud Conformity RTMA can detect essentially any S3 configuration changes made within your AWS account such as creating and deleting buckets, making S3 buckets publicly accessible using Access Control Lists (ACLs), updating bucket policies to configure permissions for all objects within a bucket and updating S3 lifecycle policies. More precisely, the activity detected by this RTMA rule could be any IAM or root account user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that runs the following Amazon S3 actions:

"CreateBucket" - Creates a new S3 bucket.

"DeleteBucket" - Deletes the S3 bucket named within the URI.

"DeleteBucketPolicy" - Deletes the permission policy on a specified bucket.

"DeleteBucketWebsite" - Removes the website configuration for an S3 bucket.

"PutAccountPublicAccessBlock" - Creates or modifies the PublicAccessBlock configuration for an AWS account.    

"PutAccelerateConfiguration" - Sets the Transfer Acceleration state of an existing S3 bucket.  

"PutAnalyticsConfiguration" - Adds an analytics configuration (identified by the analytics ID) to the specified bucket.

"PutBucketAcl" - Sets the permissions on an existing S3 bucket using Access Control Lists (ACLs).

"PutBucketCORS" - Sets the Cross-Origin Resource Sharing (CORS) configuration for a specified bucket.    

"PutBucketLogging" - Sets the logging parameters for an S3 bucket.    

"PutBucketNotification" - Enables you to receive notifications when certain events happen within your bucket.

"PutBucketPolicy" - Adds to or replaces a permission policy on an S3 bucket.

"PutBucketPublicAccessBlock" - Creates or modifies the PublicAccessBlock configuration for a specific S3 bucket.

"PutBucketRequestPayment" - Sets the request payment configuration of an S3 bucket.  

"PutBucketTagging" - Adds a set of tags to an existing bucket.    

"PutBucketVersioning" - Sets the versioning state of an existing bucket.

"PutBucketWebsite" - Sets the configuration of the website that is specified within the website subresource.

"PutEncryptionConfiguration" - Sets the encryption configuration for a bucket.   

"PutInventoryConfiguration" - Adds an inventory configuration (identified by the inventory ID) to a specified S3 bucket.

"PutLifecycleConfiguration" - Creates a new lifecycle configuration for an S3 bucket or replaces an existing lifecycle configuration.  

"PutMetricsConfiguration" - Sets or updates a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an S3 bucket.

"PutReplicationConfiguration" - Creates a new replication configuration (or replaces an existing one) for a versioning-enabled S3 bucket.

"AbortMultipartUpload" - Aborts a multipart data upload. After a multipart upload is aborted, no additional parts can be uploaded using that upload ID.   

To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you prevent as much as possible to allow your non-privileged IAM users the permission to change the S3 service and resources configuration within your Amazon Web Services account.

The communication channels required for sending RTMA notifications for this rule, can be configured in your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon S3 are SMS, Email, Slack, PagerDuty, Zendesk and ServiceNow.

Remediation / Resolution

Regardless of whether you use Amazon S3 service for storing simple log data or for mission-critical applications, monitoring S3 configuration changes in real-time is extremely important for keeping your data secure. As a security best practice, you need to be aware of any configuration change made at the S3 level at any point in time. Using Cloud Conformity RTMA to monitor S3 configuration changes can help you prevent any accidental or intentional modifications that may lead to data leakage and/or and data loss, therefore detecting Amazon S3 configuration changes is essential for keeping your cloud data secure.

References

Publication date Dec 16, 2018