Logo of Trend Micro

DNS Compliant S3 Bucket Names

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: S3-018

Ensure that your AWS S3 buckets are using DNS-compliant bucket names in order to adhere to AWS best practices and to benefit from new S3 features such as S3 Transfer Acceleration, to benefit from operational improvements and to receive support for virtual-host style access to buckets. In this conformity rule, a DNS-compliant name is an S3 bucket name that doesn't contain periods (i.e. '.'). The following examples are invalid S3 bucket names: '.myS3bucket', 'myS3bucket.' and 'my..S3bucket'. To enable AWS S3 Transfer Acceleration on a bucket or use a virtual hosted–style bucket with SSL, the bucket name must conform to DNS naming requirements and must not contain periods. Cloud Conformity recommends that you use '-' instead of '.' for your S3 bucket names to comply with DNS naming conventions.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Performance
efficiency

If you need to use your AWS S3 buckets over SSL, using periods (".") for their names will trigger certificate mismatch errors, therefore always use "-" instead of "." in bucket names for SSL.

Audit

To use virtual hosted–style buckets with SSL or enable S3 Transfer Acceleration feature, the names of these buckets cannot contain periods ("."). To identify any Amazon S3 bucket that has periods within the bucket name, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Choose the S3 bucket that you want to examine and check its name, available in the Bucket name column. If the bucket name contains periods ("."), the selected S3 bucket name does not comply with the existing DNS naming conventions.

04 Repeat step no. 3 to check other S3 buckets, available in your AWS account, for non-DNS compliant bucket names.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets: 

[
    "cloud.conformity.media.files.",
    "cloud-conformity.data-reports",
    "cloud-conformity-origin-s3-bucket"
]

03 Check the name of each S3 bucket returned by the list-buckets command output for periods (i.e. "."). The bucket name cannot start and end with a period, cannot have two or more consecutive periods between labels. If a name returned within the command output contains periods (e.g. " cloud.conformity.media.files."), the verified S3 bucket name does not comply with the existing DNS naming conventions.

Remediation / Resolution

Since you can't change (rename) S3 bucket names once you have created them, you'd have to create new buckets and copy everything to the new ones. To re-create any AWS S3 bucket with non–DNS compliant bucket name, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the Create bucket button from the dashboard top menu to launch a new S3 bucket.

04 Within Create bucket setup window, perform the following actions:

  1. Inside the Bucket name box, provide a DNS-compliant bucket name that that doesn't contain periods.
  2. Select the appropriate AWS region from the Region dropdown list.
  3. Select the source bucket (i.e. the S3 bucket with non–DNS compliant name) from the Copy settings from an existing bucket dropdown list.
  4. Click Create to set up the new DNS-compliant S3 bucket.

05 Now you can copy everything from the source bucket to the newly created S3 bucket.

06 Once all your objects are copied from the source bucket to the DNS-compliant bucket, it is safe to remove the source bucket in order to stop incurring charges for it. To delete the required S3 bucket, perform the following:

  1. Select the bucket that you want to remove from your AWS account.
  2. Click Delete bucket from the S3 dashboard top menu.
  3. Inside Delete bucket confirmation box, enter the name of the bucket within Type the name of the bucket to confirm box, then click Confirm to remove the bucket.

07 Repeat steps no. 3 – 6 to re-create other AWS S3 buckets with non–DNS compliant names, available in your AWS account.

Using AWS CLI

01 First, you need to extract the source bucket access policy. Run get-bucket-policy command (OSX/Linux/UNIX) to describe the access policy assigned to the selected S3 bucket: 

aws s3api get-bucket-policy
	--region us-east-1
	--bucket cloud.conformity.media.files.

02 The command output should return the requested bucket policy. Save the policy document within a JSON file and name the file source-s3-bucket-policy.json: 

{
  "Id": "Policy1509044761173",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1509044762275",
      "Action": [
        "s3:ListObjects"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::cloud.conformity.media.files.",
      "Principal": "*"
    }
  ]
}

03 Now execute create-bucket command (OSX/Linux/UNIX) to create the new DNS-compliant S3 bucket in the selected AWS region: 

aws s3api create-bucket
	--region us-east-1
	--bucket cloud-conformity-media-files

04 The command output should return the new S3 bucket location (URL): 

{
    "Location": "/cloud-conformity-media-files"
}

05 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the access policy saved at step no. 2 (i.e. source-s3-bucket-policy.json) to the newly created S3 bucket (cloud-conformity-media-files): 

aws s3api put-bucket-policy
	--bucket cloud-conformity-media-files
	--policy file://source-s3-bucket-policy.json

06 You can copy now everything from the source bucket to the newly created S3 bucket.

07 Once all your objects are copied from the source bucket to the DNS-compliant bucket, it is safe to remove the source bucket, to stop incurring charges for this AWS resource. To delete the required S3 bucket, run delete-bucket command (OSX/Linux/UNIX) using the name of the bucket that you want to delete as identifier (the command does not produce an output): 

aws s3api delete-bucket
	--region us-east-1
	--bucket cloud.conformity.media.files.

08 Repeat steps no. 1 – 7 to re-create other AWS S3 buckets with non–DNS compliant names, available within your AWS account.

References

Publication date Nov 13, 2017

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

DNS Compliant S3 Bucket Names

Risk level: Low