Use the Conformity Knowledge Base AI to help improve your Cloud Posture

S3 Buckets with Website Hosting Configuration Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: S3-019

Ensure that the Amazon S3 buckets configured for website hosting are regularly reviewed for security purposes. Upon enabling this rule in your Trend Cloud One™ – Conformity account, you must specify one or more Amazon S3 buckets that are expected to have website configuration enabled. Once the rule is active, the Conformity engine will scan your AWS cloud account and return review information for all S3 buckets.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

To host websites with Amazon S3, you have to configure an S3 bucket for hosting. By regularly reviewing your hosting-enabled S3 buckets, you make sure that only the desired buckets are accessible from the website endpoint.


Audit

To review Amazon S3 buckets with website configuration enabled, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Static website hosting section, check the Static website hosting configuration attribute value. If the attribute value is set to Enabled, the selected Amazon S3 bucket is configured for website hosting. If the Static website hosting attribute value is set to Disabled, the Audit process ends here.

06 Sign in to your Trend Cloud One™ – Conformity account, access the S3 Buckets with Website Configuration Enabled rule settings and compare the name of the S3 bucket verified at the previous step against each bucket name listed within the rule configuration. If the selected bucket is not listed in the rule configuration section, the Amazon S3 bucket should be reviewed in order to decide whether or not to disable the website hosting feature.

07 Repeat steps no. 3 – 6 for each Amazon S3 bucket created within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
  "trendmicro",
  "trendmicro-media",
  "trendmicro-logs"
]

03 Run get-bucket-website command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter to describe the website configuration associated with the selected S3 bucket:

aws s3api get-bucket-website
	--bucket trendmicro

04 The command output should return the requested configuration information:

  1. If get-bucket-website command output returns the NoSuchWebsiteConfiguration error message, as shown in the output example below, the selected Amazon S3 bucket is not configured for website hosting, therefore the Audit process ends here:
    An error occurred (NoSuchWebsiteConfiguration) when calling the GetBucketWebsite operation: The specified bucket does not have a website configuration
    
  2. If get-bucket-website command output returns the name of the Index document, as shown in the output example below, the selected Amazon S3 bucket is currently configured for website hosting:
    {
      "IndexDocument": {
        "Suffix": "index.html"
      }
    }
    

05 Sign in to your Trend Cloud One™ – Conformity account, access the S3 Buckets with Website Configuration Enabled rule settings and compare the name of the S3 bucket verified at the previous step against each bucket name listed within the rule configuration. If the selected bucket is not listed in the rule configuration section, the Amazon S3 bucket should be reviewed in order to decide whether or not to disable the website hosting feature.

06 Repeat steps no. 3 – 5 for each Amazon S3 bucket available in your AWS cloud account.

Remediation / Resolution

When you disable website hosting, Amazon S3 removes the website configuration from your S3 buckets so that these buckets are no longer accessible from the website endpoint. To disable website hosting for your Amazon S3 buckets, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "(Re)Create S3 Bucket Without Website Configuration",
  "Resources": {
    "S3Bucket": {
      "Properties": {
        "BucketName": "trendmicro",
        "AccessControl": "Private",
        "PublicAccessBlockConfiguration": {
          "BlockPublicAcls": true,
          "IgnorePublicAcls": true,
          "BlockPublicPolicy": true,
          "RestrictPublicBuckets": true
        },
        "VersioningConfiguration": {
          "Status": "Enabled"
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: "(Re)Create S3 Bucket Without Website Configuration"
Resources:
  S3Bucket:
    Properties:
      BucketName: trendmicro
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
    Type: AWS::S3::Bucket

Using Terraform

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

resource "aws_s3_bucket" "s3-data-bucket" {
  bucket = "trendmicro"
  acl = "private"
  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_public_access_block" "private-s3-bucket" {
  bucket = "trendmicro"
  block_public_acls = true
  ignore_public_acls = true
  block_public_policy = true
  restrict_public_buckets = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right S3 resource).

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Static website hosting section, choose Edit to modify the feature configuration.

06 On the Edit static website hosting configuration page, select Disable under Static website hosting to disable the feature for the selected Amazon S3 bucket. Choose Save changes to apply the changes. Once the website hosting is disabled, the content of the selected Amazon S3 bucket is no longer accessible from the website endpoint.

07 Repeat steps no. 3 – 6 to disable website hosting for other Amazon S3 buckets created within your AWS cloud account.

Using AWS CLI

01 Run delete-bucket-website command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right S3 resource), to remove the website configuration from the selected S3 bucket (if successful, the command should not return an output):

aws s3api delete-bucket-website
  --bucket trendmicro

02 Repeat step no. 1 to disable website hosting for other Amazon S3 buckets available in your AWS cloud account.

References

Publication date Nov 1, 2017