S3 Transfer Acceleration

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: S3-024

Ensure that your Amazon S3 buckets are using the Transfer Acceleration feature to increase the speed (up to 500%) of data transfers in and out of Amazon S3 using AWS edge network. S3 Transfer Acceleration feature enables fast, easy and secure transfers of files over long distances between your S3 bucket and their clients by taking advantage of CloudFront's globally distributed edge locations. After the Transfer Acceleration is enabled, as soon as your S3 objects reach an edge network location, the data is routed to Amazon S3 over an optimized network path.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

If your cloud applications need to transfer gigabytes to terabytes of data across or between continents, use large S3 objects, or just have a lot of users that upload data to a centralized bucket from all over the world, Amazon S3 Transfer Acceleration comes to rescue. This feature also comes in handy when you are unable to use all of your available bandwidth over the Internet when uploading your data to S3.

Note: To enable Transfer Acceleration for your S3 buckets, the name of these buckets must be DNS-compliant and must not contain periods (i.e. ".").


Audit

To determine if your Amazon S3 buckets are configured to use Transfer Acceleration, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Transfer acceleration section, check the Transfer acceleration attribute value. If the attribute value is set to Disabled, the S3 Transfer Acceleration feature is not enabled for the selected Amazon S3 bucket.

06 Repeat steps no. 3 – 5 to determine the Transfer Acceleration feature status for other Amazon S3 buckets available within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
  "cc-web-repository",
  "cc-project5-media",
  "cc-project5-logs"
]

03 Run get-bucket-accelerate-configuration command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter to describe the Transfer Acceleration feature configuration status available for the selected S3 bucket:

aws s3api get-bucket-accelerate-configuration
	--bucket cc-web-repository
	--query 'Status'

04 The command output should return the requested configuration status:

"Suspended"

If get-bucket-accelerate-configuration command output returns null (never enabled) or "Suspended", as shown in the output example above, the S3 Transfer Acceleration feature is not enabled for the selected Amazon S3 bucket.

05 Repeat step no. 3 and 4 to determine the Transfer Acceleration feature status for other Amazon S3 buckets available in your AWS cloud account.

Remediation / Resolution

To enable S3 Transfer Acceleration for your existing Amazon S3 buckets, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable S3 Transfer Acceleration",
  "Resources": {
    "CompliantS3Bucket": {
      "Properties": {
        "BucketName": "cc-web-repository",
        "AccelerateConfiguration" : {
          "AccelerationStatus" : "Enabled"
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable S3 Transfer Acceleration
Resources:
  CompliantS3Bucket:
    Properties:
      BucketName: cc-web-repository
      AccelerateConfiguration:
        AccelerationStatus: Enabled
    Type: AWS::S3::Bucket

Using Terraform

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

resource "aws_s3_bucket" "repository-bucket" {
  bucket = "cc-web-repository"
  acceleration_status = "Enabled"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Transfer acceleration section, choose Edit to modify the feature configuration.

06 On the Edit transfer acceleration page, perform the following operations:

  1. Choose Enable under Transfer acceleration to enable the Transfer Acceleration feature for the selected Amazon S3 bucket.
  2. Copy the new accelerated endpoint (i.e. <s3-bucket-name>.s3-accelerate.amazonaws.com) required for faster data transfers, available under Accelerated endpoint.
  3. Choose Save changes to apply the configuration changes.

07 Replace the existing S3 bucket endpoint with the endpoint domain name copied at the previous step within your S3 client configuration and/or application code to make use of Amazon S3 Transfer Acceleration feature. Once the endpoint is configured, your S3 client/application connections will be routed to the optimal AWS edge location based on latency, for accelerated data transfer. Note that additional data transfer charges may apply.

08 Repeat steps no. 3 – 7 to enable the Transfer Acceleration feature for other Amazon S3 buckets available within your AWS cloud account.

Using AWS CLI

01 Run put-bucket-accelerate-configuration command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter, to enable the Transfer Acceleration feature for the specified S3 bucket. If the command request is successful, the acceleration-enabled bucket will receive an endpoint with the following format: <s3-bucket-name>.s3-accelerate.amazonaws.com (the command does not produce an output):

aws s3api put-bucket-accelerate-configuration
	--bucket cc-web-repository
	--accelerate-configuration Status=Enabled

02 Replace the existing S3 bucket endpoint/URL with the new endpoint (i.e. <s3-bucket-name>.s3-accelerate.amazonaws.com) in your S3 client configuration and/or application code to make use of Amazon S3 Transfer Acceleration feature. Once the endpoint is configured, your S3 client/application TCP connections will be routed to the optimal AWS edge location based on latency, for accelerated data transfer. Additional data transfer charges may apply.

03 Repeat steps no. 1 and 2 to enable the Transfer Acceleration feature for other Amazon S3 buckets available in your AWS cloud account.

References

Publication date Feb 20, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

S3 Transfer Acceleration

Risk level: Medium