AWS S3 Best Practices

Best practice rules for Amazon S3

AWS Simple Storage Service (S3) is a storage device for the Internet. It has a web service that makes storage and retrieval simple at any time, from anywhere on the web, regardless of the amount of data. S3 is designed to make web-scale computing simple for developers by providing highly scalable, fast, reliable and inexpensive data storage infrastructure.

Cloud Conformity monitors Amazon S3 following the following rules:

DNS Compliant S3 Bucket Names
Ensure that your AWS S3 buckets are using DNS-compliant bucket names.
S3 Bucket Authenticated Users 'FULL_CONTROL' Access
Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs.
S3 Bucket Authenticated Users 'READ' Access
Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs.
S3 Bucket Authenticated Users 'READ_ACP' Access
Ensure AWS S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs.
S3 Bucket Authenticated Users 'WRITE' Access
Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs.
S3 Bucket Authenticated Users 'WRITE_ACP' Access
Ensure S3 buckets do not allow WRITE_ACP access to AWS authenticated users using S3 ACLs.
S3 Bucket Default Encryption
Ensure Amazon S3 buckets have Default Encryption feature enabled.
S3 Bucket Logging Enabled
Ensure AWS S3 buckets have server access logging enabled to track access requests.
S3 Bucket MFA Delete Enabled
Ensure AWS S3 buckets have the MFA Delete feature enabled.
S3 Bucket Public 'FULL_CONTROL' Access
Ensure that your AWS S3 buckets are not publicly exposed to the Internet.
S3 Bucket Public 'READ' Access
Ensure AWS S3 buckets do not allow public READ access.
S3 Bucket Public 'READ_ACP' Access
Ensure AWS S3 buckets do not allow public READ_ACP access.
S3 Bucket Public 'WRITE' Access
Ensure AWS S3 buckets do not allow public WRITE access.
S3 Bucket Public 'WRITE_ACP' Access
Ensure AWS S3 buckets do not allow public WRITE_ACP access.
S3 Bucket Public Access Via Policy
Ensure AWS S3 buckets do not allow public access via bucket policies.
S3 Bucket Versioning Enabled
Ensure AWS S3 object versioning is enabled for an additional level of data protection.
S3 Buckets Encrypted with Customer-Provided CMKs
Ensure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs.
S3 Buckets Lifecycle Configuration
Ensure Amazon S3 buckets have lifecycle configuration enabled for security and cost optimization purposes.
S3 Buckets with Website Configuration Enabled (Not Scored)
Ensure S3 buckets with website configuration enabled are regularly reviewed (informational).
S3 Configuration Changes
AWS S3 configuration changes have been detected within your Amazon Web Services account.
S3 Cross Account Access
Ensure Amazon S3 buckets do not allow unknown cross account access via bucket policies.
S3 Object Lock
Ensure that AWS S3 buckets use Object Lock for data protection and/or regulatory compliance.
S3 Transfer Acceleration
Ensure that Amazon S3 buckets use Transfer Acceleration feature for faster data transfers.
Secure Transport
Ensure AWS S3 buckets enforce SSL to secure data in transit
Server Side Encryption
Ensure AWS S3 buckets enforce Server-Side Encryption (SSE)