Use the Conformity Knowledge Base AI to help improve your Cloud Posture

S3 Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: S3-022

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes performed at the Amazon S3 service and resources level, within your AWS account.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.

Security

Amazon S3 or Amazon Simple Storage Service is a global Infrastructure as a Service (IaaS) solution designed to store and retrieve any amount of data (objects) from anywhere on the Internet. S3 is a simple storage service that offers an extremely durable (99.999999999% durability), highly available (99.99% availability) and infinitely scalable data storage infrastructure at very low costs. AWS S3 provides a simple and intuitive web service interface and a powerful API that you can use to upload and download any type and amount of data that you want, read the same piece of data a million times, build simple FTP applications, use it to host static websites or relocate important data during emergency disaster recovery. Amazon S3 helps developers to focus on innovation instead of figuring out where and how to store their data.


Cloud Conformity RTMA can detect essentially any S3 configuration changes made within your AWS account such as creating and deleting buckets, making S3 buckets publicly accessible using Access Control Lists (ACLs), updating bucket policies to configure permissions for all objects within a bucket and updating S3 lifecycle policies. More precisely, the activity detected by this RTMA rule could be any IAM or root account user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that runs the following Amazon S3 actions:

"CreateBucket" - Creates a new S3 bucket.

"DeleteBucket" - Deletes the S3 bucket named within the URI.

"DeleteBucketCORS" - Deletes the cors configuration information set for the bucket.

"DeleteBucketLifecycle" - Deletes the lifecycle configuration from the specified bucket.

"DeleteBucketPolicy" - Deletes the permission policy on a specified bucket.

"DeleteBucketWebsite" - Removes the website configuration for an S3 bucket.

"DeleteBucketReplication" - Deletes the replication configuration from the bucket.

"DeleteBucketTagging" - Deletes the tags from the bucket.

"PutAccountPublicAccessBlock" - Creates or modifies the PublicAccessBlock configuration for an AWS account.    

"PutAccelerateConfiguration" - Sets the Transfer Acceleration state of an existing S3 bucket.  

"PutAnalyticsConfiguration" - Adds an analytics configuration (identified by the analytics ID) to the specified bucket.

"PutBucketAcl" - Sets the permissions on an existing S3 bucket using Access Control Lists (ACLs).

"PutBucketAccelerateConfiguration" - Sets the accelerate configuration of an existing bucket.

"PutBucketEncryption" - This implementation of the PUT operation uses the encryption subresource to set the default encryption state of an existing bucket.

"PutBucketLifecycle" - Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.

"PutBucketLifecycleConfiguration" - Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.

"PutBucketNotificationConfiguration" - Enables notifications of specified events for a bucket.

"PutBucketReplication" - Creates a replication configuration or replaces an existing one.

"PutBucketCORS" - Sets the Cross-Origin Resource Sharing (CORS) configuration for a specified bucket.    

"PutBucketLogging" - Sets the logging parameters for an S3 bucket.    

"PutBucketNotification" - Enables you to receive notifications when certain events happen within your bucket.

"PutBucketPolicy" - Adds to or replaces a permission policy on an S3 bucket.

"PutBucketPublicAccessBlock" - Creates or modifies the PublicAccessBlock configuration for a specific S3 bucket.

"PutBucketRequestPayment" - Sets the request payment configuration of an S3 bucket.  

"PutBucketTagging" - Adds a set of tags to an existing bucket.    

"PutBucketVersioning" - Sets the versioning state of an existing bucket.

"PutBucketWebsite" - Sets the configuration of the website that is specified within the website subresource.

"PutEncryptionConfiguration" - Sets the encryption configuration for a bucket.   

"PutInventoryConfiguration" - Adds an inventory configuration (identified by the inventory ID) to a specified S3 bucket.

"PutLifecycleConfiguration" - Creates a new lifecycle configuration for an S3 bucket or replaces an existing lifecycle configuration.  

"PutMetricsConfiguration" - Sets or updates a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an S3 bucket.

"PutReplicationConfiguration" - Creates a new replication configuration (or replaces an existing one) for a versioning-enabled S3 bucket.

To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you prevent as much as possible to allow your non-privileged IAM users the permission to change the S3 service and resources configuration within your Amazon Web Services account.

The communication channels required for sending RTMA notifications for this rule, can be configured in your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon S3 are SMS, Email, Slack, PagerDuty, Zendesk and ServiceNow.

Remediation / Resolution

Regardless of whether you use Amazon S3 service for storing simple log data or for mission-critical applications, monitoring S3 configuration changes in real-time is extremely important for keeping your data secure. As a security best practice, you need to be aware of any configuration change made at the S3 level at any point in time. Using Cloud Conformity RTMA to monitor S3 configuration changes can help you prevent any accidental or intentional modifications that may lead to data leakage and/or and data loss, therefore detecting Amazon S3 configuration changes is essential for keeping your cloud data secure.

References

Publication date Dec 16, 2018