About this program
Quick check of public-access, encryption, logging and lifecycle on your S3 estate. Built around the CIS AWS benchmark for S3.
Risks addressed
- Critical Publicly readable bucket exposes sensitive data
- High Unencrypted data at rest
- High Accidental object deletion with no versioning
- High Excessive cross-account access
Controls (7)
-
Block Public Access enabled account-wide
CriticalBlock Public Access enabled account-wide
How to test + evidence
Testing procedure: Run aws s3control get-public-access-block — all 4 settings true.
Evidence to collect: CLI output.
-
Default encryption set on all buckets
HighDefault encryption set on all buckets
How to test + evidence
Testing procedure: Run s3api get-bucket-encryption per bucket; SSE-S3 or SSE-KMS expected.
Evidence to collect: CLI output / Config rule.
-
Versioning enabled for buckets holding important data
MediumVersioning enabled for buckets holding important data
How to test + evidence
Testing procedure: For Tier-1 buckets, verify Versioning=Enabled.
Evidence to collect: CLI output.
-
Server access logging enabled
MediumServer access logging enabled
How to test + evidence
Testing procedure: Confirm access logs are written to a centralised logging bucket.
Evidence to collect: CLI output + log destination.
-
MFA Delete enabled for critical buckets
HighMFA Delete enabled for critical buckets
How to test + evidence
Testing procedure: Verify MFA Delete on production data buckets.
Evidence to collect: CLI output.
-
Lifecycle policies in place
LowLifecycle policies in place
How to test + evidence
Testing procedure: Buckets have lifecycle rules to expire / transition old objects.
Evidence to collect: CLI output of get-bucket-lifecycle.
-
Cross-account access reviewed
HighCross-account access reviewed
How to test + evidence
Testing procedure: Review bucket policies for wildcards / cross-account principals. Confirm justification.
Evidence to collect: Bucket policies export.