Use the Conformity Knowledge Base AI to help improve your Cloud Posture

DNS Compliant S3 Bucket Names

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: S3-018

Ensure that your Amazon S3 buckets are using DNS-compliant bucket names in order to adhere to AWS cloud best practices and to benefit from operational improvements, support for virtual host-style access to buckets, and new Amazon S3 features such as S3 Transfer Acceleration. For this conformity rule, a DNS-compliant name is a bucket name that doesn't contain periods (i.e. "."). The following examples are invalid S3 bucket names: ".myS3bucket", "myS3bucket." and "my..S3bucket". To enable S3 Transfer Acceleration on a bucket or use a virtual hosted–style bucket with SSL, the bucket name must conform to DNS naming requirements and must not contain periods. Trend Cloud One™ – Conformity recommends that you use "-" instead of "." for your S3 bucket names to comply with DNS naming conventions.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

If you need to use your Amazon S3 buckets over SSL, using periods (".") for their names will trigger certificate mismatch errors, therefore it is strongly recommended that you always use "-" instead of "." for S3 bucket names.


Audit

To use virtual hosted–style buckets with SSL or enable S3 Transfer Acceleration feature, the names of these buckets cannot contain periods ("."). To identify any Amazon S3 bucket that has periods within the bucket name, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Choose the S3 bucket that you want to examine and check the bucket name, available in the Name column. If the bucket name contains periods ("."), the name of the selected Amazon S3 bucket does not comply with the existing DNS naming conventions.

04 Repeat step no. 3 to check other Amazon S3 buckets available in your AWS account for non-DNS compliant bucket names.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all the Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the requested S3 bucket names:

[
    "trend.micro.media.files.",
    "trend-micro.data-reports",
    "trend-micro-origin-s3-bucket"
]

03 Check the name of each Amazon S3 bucket returned by the list-buckets command output for periods (i.e. "."). For compliance, the S3 bucket name cannot start and end with a period, and can't have two or more consecutive periods between labels. If a bucket name returned by the list-buckets command output contains periods (e.g. " trend.micro.media.files."), the name of the verified Amazon S3 bucket does not comply with the existing DNS naming conventions.

Remediation / Resolution

Since you can't change (rename) S3 bucket names once you have created them, you must create new S3 buckets and copy everything to the new ones. To re-create the Amazon S3 buckets with non–DNS compliant bucket names, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create DNS Compliant Bucket",
  "Resources": {
    "CompliantS3Bucket": {
      "Properties": {
        "BucketName": "trend-micro-media-files",
        "AccessControl": "Private",
        "PublicAccessBlockConfiguration": {
          "BlockPublicAcls": true,
          "IgnorePublicAcls": true,
          "BlockPublicPolicy": true,
          "RestrictPublicBuckets": true
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Create DNS Compliant Bucket
Resources:
  CompliantS3Bucket:
    Properties:
      BucketName: trend-micro-media-files
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true
    Type: AWS::S3::Bucket

Using Terraform

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

resource "aws_s3_bucket" "dns-compliant-bucket" {
  bucket = "trend-micro-media-files"
  acl = "private"
}

resource "aws_s3_bucket_public_access_block" "dns-compliant-bucket" {
  bucket = "trend-micro-media-files"
  block_public_acls = true
  ignore_public_acls = true
  block_public_policy = true
  restrict_public_buckets = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Choose Create bucket from the console top menu to create a new Amazon S3 bucket.

04 On the Create bucket setup page, perform the following actions:

  1. For General configuration:
    • Provide a unique, DNS-compliant bucket name that doesn't contain periods in the Bucket name box.
    • From the AWS Region dropdown list, select the AWS cloud region where the new S3 bucket will be created (must match the source bucket region).
    • Choose bucket under Copy settings from existing bucket, select the source (non-compliant) S3 bucket, and Choose bucket.
  2. For Block Public Access settings for bucket, select Block all public access to ensure that all public access to this bucket and its objects is blocked. For more details about this feature, see this conformity rule.
  3. For Bucket Versioning, choose whether to enable bucket versioning for the bucket.
  4. (Optional) For Tags, use the Add tag button to create and apply user-defined tags to the S3 bucket. You can track storage cost and other criteria by tagging your bucket.
  5. For Default encryption, select Enable under Server-side encryption, and choose one of the following encryption key types, based on your requirements:
    • Select Amazon S3 key (SSE-S3) to encrypt your S3 objects automatically at upload using an encryption key that Amazon S3 creates, manages, and uses for you (i.e. S3-Managed Key – SSE-S3).
    • Select AWS Key Management Service key (SSE-KMS) to encrypt your S3 objects using an encryption key protected by AWS Key Management Service (SSE-KMS). If you choose this option, you must select a KMS-managed key from the AWS KMS key section. This AWS KMS encryption key can be an AWS-managed key (aws/s3) or a customer-managed Customer Master Key (CMK). Select Enable under Bucket Key to configure the new S3 bucket to use an Amazon S3 bucket key for Server-Side Encryption with Amazon KMS-Managed Keys (SSE-KMS).
  6. For Advanced settings, choose whether or not to enable the Object Lock feature. Enabling Object Lock automatically enables Bucket Versioning.
  7. Choose Create bucket to create your new DNS-compliant Amazon S3 bucket.

05 Now you can copy everything from the source (non-compliant) bucket to the newly created S3 bucket.

06 (Optional) Once all your objects are copied from the source bucket to the DNS-compliant S3 bucket, you can remove the source bucket in order to stop incurring charges for it. To delete the required S3 bucket, perform the following operations:

  1. Select the non-compliant bucket that you want to remove.
  2. Choose Delete from the Amazon S3 console top menu.
  3. Inside Delete bucket <bucket-name> confirmation box, enter the name of the selected bucket, and choose Delete bucket to remove the S3 bucket from your AWS account.

07 Repeat steps no. 3 – 6 to re-create other non–DNS compliant Amazon S3 buckets, available in your AWS cloud account.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the DNS-compliant Amazon S3 bucket:

aws s3api create-bucket
  --region us-east-1
  --bucket trend-micro-media-files
  --acl private

02 The command output should return the name of the newly created S3 bucket:

{
  "Location": "/trend-micro-media-files"
}

03 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):

aws s3api put-public-access-block
  --region us-east-1
  --bucket trend-micro-media-files
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

04 You can now copy your data from the source (non-compliant) bucket to the newly created S3 bucket.

05 (Optional) Once all your objects are copied from the source bucket to the DNS-compliant S3 bucket, you can remove the source bucket in order to stop incurring AWS cloud charges. To delete the required S3 bucket, run delete-bucket command (OSX/Linux/UNIX) using the name of the bucket that you want to delete as the identifier parameter (the command should not produce an output):

aws s3api delete-bucket
  --region us-east-1
  --bucket trend.micro.media.files.

06 Repeat steps no. 1 – 8 to re-create other non–DNS compliant Amazon S3 buckets, available within your AWS cloud account.

References

Publication date Nov 13, 2017