Best practice rules for Amazon S3
AWS Simple Storage Service (S3) is a storage device for the Internet. It has a web service that makes storage and retrieval simple at any time, from anywhere on the web, regardless of the amount of data. S3 is designed to make web-scale computing simple for developers by providing highly scalable, fast, reliable and inexpensive data storage infrastructure.
Trend Micro Cloud One™ – Conformity monitors Amazon S3 with the following rules:
- Amazon Macie Finding Statistics for S3
Capture summary statistics about Amazon Macie security findings on a per-S3 bucket basis.
- DNS Compliant S3 Bucket Names
Ensure that your AWS S3 buckets are using DNS-compliant bucket names.
- Enable Amazon S3 Bucket Keys
Ensure that Amazon S3 buckets are using S3 bucket keys to optimize service costs.
- Enable S3 Block Public Access for AWS Accounts
Ensure that Amazon S3 public access is blocked at the AWS account level for data protection.
- Enable S3 Block Public Access for S3 Buckets
Ensure that Amazon S3 public access is blocked at the S3 bucket level for data protection.
- S3 Bucket Authenticated Users 'FULL_CONTROL' Access
Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs.
- S3 Bucket Authenticated Users 'READ' Access
Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs.
- S3 Bucket Authenticated Users 'READ_ACP' Access
Ensure AWS S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs.
- S3 Bucket Authenticated Users 'WRITE' Access
Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs.
- S3 Bucket Authenticated Users 'WRITE_ACP' Access
Ensure S3 buckets do not allow WRITE_ACP access to AWS authenticated users using S3 ACLs.
- S3 Bucket Default Encryption
Ensure Amazon S3 buckets have Default Encryption feature enabled.
- S3 Bucket Logging Enabled
Ensure AWS S3 buckets have server access logging enabled to track access requests.
- S3 Bucket MFA Delete Enabled
Ensure AWS S3 buckets have the MFA Delete feature enabled.
- S3 Bucket Public 'FULL_CONTROL' Access
Ensure that your Amazon S3 buckets are not publicly exposed to the Internet.
- S3 Bucket Public 'READ' Access
Ensure that S3 buckets do not allow public READ access via Access Control Lists (ACLs).
- S3 Bucket Public 'READ_ACP' Access
Ensure that S3 buckets do not allow public READ_ACP access via Access Control Lists (ACLs).
- S3 Bucket Public 'WRITE' Access
Ensure that S3 buckets do not allow public WRITE access via Access Control Lists (ACLs).
- S3 Bucket Public 'WRITE_ACP' Access
Ensure that S3 buckets do not allow public WRITE_ACP access via Access Control Lists (ACLs).
- S3 Bucket Public Access Via Policy
Ensure AWS S3 buckets do not allow public access via bucket policies.
- S3 Bucket Versioning Enabled
Ensure AWS S3 object versioning is enabled for an additional level of data protection.
- S3 Buckets Encrypted with Customer-Provided CMKs
Ensure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs.
- S3 Buckets Lifecycle Configuration
Ensure Amazon S3 buckets have lifecycle configuration enabled for security and cost optimization purposes.
- S3 Buckets with Website Configuration Enabled
Ensure S3 buckets with website configuration enabled are regularly reviewed (informational).
- S3 Configuration Changes
AWS S3 configuration changes have been detected within your Amazon Web Services account.
- S3 Cross Account Access
Ensure Amazon S3 buckets do not allow unknown cross account access via bucket policies.
- S3 Object Lock
Ensure that AWS S3 buckets use Object Lock for data protection and/or regulatory compliance.
- S3 Transfer Acceleration
Ensure that Amazon S3 buckets use Transfer Acceleration feature for faster data transfers.
- Secure Transport
Ensure AWS S3 buckets enforce SSL to secure data in transit
- Server Side Encryption
Ensure AWS S3 buckets enforce Server-Side Encryption (SSE)