AWS S3 Audit

Your number of S3 buckets can grow pretty fast - and so could be your painpoints.

What we do?

S3 Buckets Should Have Access Logging Enabled

AWS S3 Server Access Logging feature should be enabled in order to record access requests useful for security audits. By default, server access logging is not enabled for S3 buckets.

S3 Block Public Access Feature Should Be Enabled

Amazon S3 Block Public Access feature should be enabled for your S3 buckets to restrict public access to all objects available within these buckets, including those that you upload in the future.

S3 Buckets Should Have Default Encryption Enabled

S3 buckets should have default encryption (SSE) enabled or use a bucket policy to enforce it. S3 default encryption will enable Amazon to encrypt your S3 data at the bucket level instead of object level in order to protect it from attackers or unauthorized personnel.

S3 Buckets Should Have Versioning Enabled

Your AWS S3 buckets should have the versioning flag enabled in order to preserve and recover overwritten and deleted S3 objects as an extra layer of data protection and/or data retention.

S3 Buckets Should Have A Secure Transport Policy

You can use HTTPS (TLS) to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. You should allow only encrypted connections over HTTPS (TLS) on Amazon S3 bucket policies.

S3 Buckets Should Not Allow Public Writes

AWS S3 buckets should not be publicly accessible for WRITE actions via S3 access control lists (ACLs), in order to protect your S3 data from unauthorized users.

S3 Bucket Should Not Allow WRITE Access to Authenticated Users

S3 buckets should not allow WRITE access to AWS authenticated users through S3 ACLs.

S3 Bucket Names Should Be DNS-compliant

S3 buckets should use DNS-compliant bucket names in order to adhere to AWS best practices and to benefit from the new S3 features such as S3 Transfer Acceleration, to benefit from operational improvements and to receive support for virtual-host style access to buckets.

S3 Bucket Should Have MFA Delete Enabled

AWS S3 buckets should use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned S3 objects (files).

S3 Buckets Should Not Allow Public Access Via Policy

AWS S3 buckets should not be publicly accessible via bucket policies in order to protect against unauthorized access. Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.

S3 Buckets Should Be Encrypted with Customer-Provided CMKs

AWS S3 buckets should be configured to use Server-Side Encryption with customer managed CMKs instead of S3-Managed Keys (SSE-S3) in order to obtain a fine-grained control over Amazon S3 data-at-rest encryption and decryption process.

S3 Buckets Should Have Lifecycle Configuration Enabled

Your Amazon S3 buckets should have lifecycle configuration enabled for security and cost optimization purposes.

S3 Buckets Should Have Website Configuration Enabled

S3 buckets with website configuration enabled should be regularly reviewed (informational). By regularly reviewing these S3 buckets you make sure that only the desired buckets are accessible from the website endpoint.

S3 Buckets Should Have Object Lock Enabled

AWS S3 buckets should use Object Lock for data protection and/or regulatory compliance and in order to prevent the objects they store from being deleted.

S3 Buckets Should Use Transfer Acceleration

S3 buckets should be using Transfer Acceleration feature to increase the speed (up to 500%) of data transfers in and out of Amazon S3 using AWS edge network.

S3 Bucket Should Not Allow Public FULL_CONTROL Access

There should not be any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access.

S3 Bucket Should Not Allow FULL_CONTROL Access to Authenticated Users

AWS S3 buckets should not be granting FULL_CONTROL access to authenticated users (i.e. signed AWS accounts or AWS IAM users) in order to prevent unauthorized access. Exposing your S3 buckets to AWS signed accounts or users can lead to data leaks, data loss and unexpected charges for the S3 service.

S3 Buckets Should Not Allow Public READ Access

AWS S3 buckets should not allow public READ access in order to protect against unauthorized access.

S3 Bucket Should Not Allow READ Access to Authenticated Users

S3 buckets should not allow READ access to AWS authenticated users through ACLs n order to protect your S3 data against unauthorized access.

S3 Bucket Should Not Allow Public READ_ACP Access

AWS S3 buckets should not allow public READ_ACP access. Granting public “READ_ACP” access to your S3 buckets can allow everyone on the Internet to see who controls your objects. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing techniques to help them gain access to your S3 data.

S3 Bucket Should Not Allow READ_ACP Access For Authenticated Users

AWS S3 buckets should not allow READ_ACP access to AWS authenticated users using ACLs in order to protect against unauthorized access.

S3 Bucket Should Not Allow Public WRITE_ACP Access

AWS S3 buckets should not allow public WRITE_ACP access. Granting public "WRITE_ACP" access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions.

S3 Bucket Should Not Allow WRITE_ACP Access to Authenticated Users

AWS S3 buckets should not allow WRITE_ACP access to AWS authenticated users using ACLs. Granting authenticated "WRITE_ACP" access to your AWS S3 buckets can allow other AWS accounts or IAM users to edit ACL permissions in order to view, upload, modify and delete S3 objects within the buckets without restrictions.

S3 Buckets Should Enforce Server Side Encryption

AWS S3 buckets should protect their sensitive data at rest by enforcing Server-Side Encryption (SSE).


Not ready for a free signup yet? No worries!

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.