DNS Compliant S3 Bucket Names
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your AWS S3 buckets are using DNS-compliant bucket names in order to adhere to AWS best practices and to benefit from new S3 features such as S3 Transfer Acceleration, to benefit from operational improvements and to receive support for virtual-host style access to buckets. In this conformity rule, a DNS-compliant name is an S3 bucket name that doesn't contain periods (i.e. '.'). The following examples are invalid S3 bucket names: '.myS3bucket', 'myS3bucket.' and 'my..S3bucket'. To enable AWS S3 Transfer Acceleration on a bucket or use a virtual hosted–style bucket with SSL, the bucket name must conform to DNS naming requirements and must not contain periods. Cloud Conformity recommends that you use '-' instead of '.' for your S3 bucket names to comply with DNS naming conventions.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
If you need to use your AWS S3 buckets over SSL, using periods (".") for their names will trigger certificate mismatch errors, therefore always use "-" instead of "." in bucket names for SSL.
To use virtual hosted–style buckets with SSL or enable S3 Transfer Acceleration feature, the names of these buckets cannot contain periods ("."). To identify any Amazon S3 bucket that has periods within the bucket name, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Choose the S3 bucket that you want to examine and check its name, available in the Bucket name column. If the bucket name contains periods ("."), the selected S3 bucket name does not comply with the existing DNS naming conventions.
04 Repeat step no. 3 to check other S3 buckets, available in your AWS account, for non-DNS compliant bucket names.
01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account:
aws s3api list-buckets --query 'Buckets[*].Name'
02 The command output should return the names of your S3 buckets:
[
"cloud.conformity.media.files.",
"cloud-conformity.data-reports",
"cloud-conformity-origin-s3-bucket"
]
03 Check the name of each S3 bucket returned by the list-buckets command output for periods (i.e. "."). The bucket name cannot start and end with a period, cannot have two or more consecutive periods between labels. If a name returned within the command output contains periods (e.g. " cloud.conformity.media.files."), the verified S3 bucket name does not comply with the existing DNS naming conventions.
Since you can't change (rename) S3 bucket names once you have created them, you'd have to create new buckets and copy everything to the new ones. To re-create any AWS S3 bucket with non–DNS compliant bucket name, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Click on the Create bucket button from the dashboard top menu to launch a new S3 bucket.
04 Within Create bucket setup window, perform the following actions:
05 Now you can copy everything from the source bucket to the newly created S3 bucket.
06 Once all your objects are copied from the source bucket to the DNS-compliant bucket, it is safe to remove the source bucket in order to stop incurring charges for it. To delete the required S3 bucket, perform the following:
07 Repeat steps no. 3 – 6 to re-create other AWS S3 buckets with non–DNS compliant names, available in your AWS account.
01 First, you need to extract the source bucket access policy. Run get-bucket-policy command (OSX/Linux/UNIX) to describe the access policy assigned to the selected S3 bucket:
aws s3api get-bucket-policy --region us-east-1 --bucket cloud.conformity.media.files.
02 The command output should return the requested bucket policy. Save the policy document within a JSON file and name the file source-s3-bucket-policy.json:
{
"Id": "Policy1509044761173",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1509044762275",
"Action": [
"s3:ListObjects"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::cloud.conformity.media.files.",
"Principal": "*"
}
]
}
03 Now execute create-bucket command (OSX/Linux/UNIX) to create the new DNS-compliant S3 bucket in the selected AWS region:
aws s3api create-bucket --region us-east-1 --bucket cloud-conformity-media-files
04 The command output should return the new S3 bucket location (URL):
{
"Location": "/cloud-conformity-media-files"
}
05 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the access policy saved at step no. 2 (i.e. source-s3-bucket-policy.json) to the newly created S3 bucket (cloud-conformity-media-files):
aws s3api put-bucket-policy --bucket cloud-conformity-media-files --policy file://source-s3-bucket-policy.json
06 You can copy now everything from the source bucket to the newly created S3 bucket.
07 Once all your objects are copied from the source bucket to the DNS-compliant bucket, it is safe to remove the source bucket, to stop incurring charges for this AWS resource. To delete the required S3 bucket, run delete-bucket command (OSX/Linux/UNIX) using the name of the bucket that you want to delete as identifier (the command does not produce an output):
aws s3api delete-bucket --region us-east-1 --bucket cloud.conformity.media.files.
08 Repeat steps no. 1 – 7 to re-create other AWS S3 buckets with non–DNS compliant names, available within your AWS account.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat