Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable S3 Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the S3 Protection feature is enabled for your Amazon GuardDuty detectors. S3 Protection enables GuardDuty to monitor object-level API operations in order to identify potential security risks for data stored within your S3 buckets.

This rule can help you work with the AWS Well-Architected Framework.

Security

The S3 Protection feature refers to whether S3 data events are enabled as a data source for GuardDuty. S3 data event monitoring is a configurable data source in Amazon GuardDuty. When S3 data event monitoring is enabled, GuardDuty immediately begins to analyze S3 data events from all your S3 buckets and monitor them for malicious and suspicious activity. When GuardDuty detects a threat based on S3 data event monitoring, it generates a security finding. If the S3 Protection feature is disabled, Amazon GuardDuty is unable to fully monitor your S3 resources and generate security findings for suspicious access to your S3 data.


Audit

To determine if S3 Protection is enabled for your Amazon GuardDuty detectors, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to GuardDuty console available at https://console.aws.amazon.com/guardduty.

03 In the left navigation panel, under Protection plans, choose S3 Protection to access the S3 Protection feature settings available for Amazon GuardDuty in the current AWS region.

04 In the S3 Protection section, check the Status attribute value. If Status is set to S3 Protection is not enabled, the S3 Protection security feature is not enabled for Amazon GuardDuty within the current AWS cloud region.

05 Change the AWS region from the console navigation bar and repeat steps no. 3 and 4 to verify the Amazon GuardDuty S3 Protection status for other AWS cloud regions.

Using AWS CLI

01 Run list-detectors command (OSX/Linux/UNIX) with custom output filters to list the ID of each Amazon GuardDuty detector available in the selected AWS region (in this case, US East – N. Virginia region):

aws guardduty list-detectors
  --region us-east-1
  --query 'DetectorIds'

02 The command output should return an array with the requested GuardDuty detector ID(s):

[
	"abcd1234abcd1234abcd1234abcd1234",
	"1234abcd1234abcd1234abcd1234abcd"
]

03 Run get-detector command (OSX/Linux/UNIX) with the ID of the Amazon GuardDuty detector that you want to examine as the identifier parameter and custom output filters to describe the configuration status of the S3 Protection feature in the selected AWS region:

aws guardduty get-detector
  --region us-east-1
  --detector-id "abcd1234abcd1234abcd1234abcd1234"
  --query 'DataSources.S3Logs.Status'

04 The command output should return the requested configuration status:

"DISABLED"

If the get-detector command output returns "DISABLED", as shown in the example above, the S3 Protection security feature is not enabled for Amazon GuardDuty in the selected AWS cloud region.

05 Repeat steps no. 3 and 4 for other Amazon GuardDuty detectors deployed in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to check the Amazon GuardDuty S3 Protection status for other AWS cloud regions.

Remediation / Resolution

To enable the S3 Protection security feature for Amazon GuardDuty, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to GuardDuty console available at https://console.aws.amazon.com/guardduty.

03 In the left navigation panel, under Protection plans, choose S3 Protection to access the S3 Protection feature settings available for Amazon GuardDuty in the current AWS region.

04 In the S3 Protection section, choose Enable under Status. In the confirmation box, choose Confirm to enable the S3 Protection feature for the Amazon GuardDuty detectors deployed within the current AWS region.

05 Change the AWS cloud region from the console navigation bar and repeat steps no. 3 and 4 to activate the Amazon GuardDuty S3 Protection feature for other AWS regions.

Using AWS CLI

01 Run update-detector command (OSX/Linux/UNIX) with the ID of the regional Amazon GuardDuty detector that you want to configure as the identifier parameter, to enable the S3 Protection security feature for Amazon GuardDuty in the selected AWS region, by configuring S3 data event logs as a data source (the command does not produce an output):

aws guardduty update-detector
  --region us-east-1
  --detector-id "abcd1234abcd1234abcd1234abcd1234"
  --data-sources '{"S3Logs":{"Enable":true}}'

02 Repeat step no. 1 for other Amazon GuardDuty detectors deployed in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 and 2 to activate the Amazon GuardDuty S3 Protection feature for other AWS regions.

References

Publication date Oct 4, 2024