Logo of Trend Micro

S3 Buckets with Website Configuration Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: S3-019

Ensure that your Amazon S3 buckets with website configuration enabled are regularly reviewed for security purposes. Upon enabling this rule on Cloud Conformity dashboard, you must specify one or more S3 buckets that are expected to have website configuration enabled. Once the rule is active, Cloud Conformity engine will scan your AWS account and will return review information for all S3 buckets.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

To host website on AWS S3 you need to configure a bucket as website by adding the necessary configuration. By regularly reviewing these S3 buckets you make sure that only the desired buckets are accessible from the website endpoint.

Audit

To identify all Amazon S3 buckets with website configuration enabled for review purposes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to examine to access the bucket configuration.

04 Select Properties tab from the S3 dashboard top menu and check the Static website hosting feature status. If the feature current status is Bucket hosting, the selected AWS S3 bucket is configured for website hosting.

05 Now open your Cloud Conformity console, select the conformity rule and compare the name of the S3 bucket verified at the previous step against each name listed within the configuration section of the rule. If the selected bucket name is not listed in the configuration section, the S3 bucket should be reviewed in order to decide whether to disable or not the website hosting feature.

06 Repeat steps no. 3 - 5 to check other S3 buckets, available in your AWS account, for review purposes.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets: 

[
    "cloud-conformity-docs",
    "cloud-conformity-data-reports",
    "cloud-conformity-media-library"
]

03 Run get-bucket-website command (OSX/Linux/UNIX) using the name of the S3 bucket returned at the previous step as identifier to retrieve the website configuration associated with the selected bucket: 

aws s3api get-bucket-website
	--bucket cloud-conformity-docs

04 The command output should return the requested website configuration details or the S3 NoSuchWebsiteConfiguration error message if the feature is not currently enabled: 

{
    "IndexDocument": {
        "Suffix": "index.html"
    }
}

If the get-bucket-website command output returns the website configuration information such as the name of the index document, as shown in the output example above, the selected Amazon S3 bucket is configured for website hosting.

05 Now access your Cloud Conformity console, select the rule and compare the name of the S3 bucket verified earlier against each name listed within the configuration section of the rule. If the selected bucket name is not listed in the configuration section, the S3 bucket should be reviewed in order to decide whether to disable or not the website hosting feature.

06 Repeat steps no. 3 - 5 to check other S3 buckets, available in your AWS account, for review purposes.

Remediation / Resolution

When you disable S3 website hosting, Amazon S3 service removes the website configuration from your buckets so that these buckets are no longer accessible from the website endpoint. To disable website hosting for your S3 buckets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Properties tab from the S3 dashboard top menu and click on the Static website hosting feature configuration box.

05 Inside Static website hosting configuration box, select Disable website hosting option then click Save to apply the changes. Once the feature is disabled, the selected AWS S3 bucket contents are no longer accessible from the website endpoint.

06 Repeat steps no. 3 – 5 to disable website hosting for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run delete-bucket-website command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to reconfigure (see Audit section part II to identify the right S3 resource) to remove the website configuration from the selected bucket (the command does not produce an output): 

aws s3api delete-bucket-website
	--bucket cloud-conformity-docs

02 Repeat step no. 1 to disable website hosting for other S3 buckets provisioned within your AWS account.

References

Publication date Nov 1, 2017

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

S3 Buckets with Website Configuration Enabled

Risk level: Medium