Access Logging Enabled

Check S3 bucket access logging is enabled on the CloudTrail S3 bucket

Addresses: Security

S3 Buckets Public Access Block

Check the S3 bucket logs are not publicly accessible

Addresses: Security

S3 Bucket Default Encryption

Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it.

Addresses: Security

S3 Bucket Versioning Enabled

Check if S3 buckets have object versioning enabled

Addresses: Reliability

S3 HTTPS Only

Check if S3 buckets have secure transport policy

Addresses: Security

S3 Does Not Allow Public Writes

Check if S3 buckets have policies which allow public WRITE access

Addresses: Security

S3 Bucket Authenticated Users WRITE Access

Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs.

Addresses: Security

DNS Compliant S3 Bucket Names

Ensure that your AWS S3 buckets are using DNS-compliant bucket names.

Addresses: Operational Maturity

S3 Bucket MFA Delete Enabled

Ensure AWS S3 buckets have the MFA Delete feature enabled.

Addresses: Security

S3 Bucket Public Access Via Policy

Ensure AWS S3 buckets do not allow public access via bucket policies.

Addresses: Security

S3 Buckets Encrypted with Customer-Provided CMKs

Ensure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs.

Addresses: Security

S3 Buckets Lifecycle Configuration

Ensure Amazon S3 buckets have lifecycle configuration enabled for security and cost optimization purposes.

Addresses: Security, Operational Maturity

S3 Buckets with Website Configuration Enabled

Ensure S3 buckets with website configuration enabled are regularly reviewed (informational).

Addresses: Security

S3 Object Lock Enabled

Ensure that AWS S3 buckets use Object Lock for data protection and/or regulatory compliance.

Addresses: Security

S3 Transfer Acceleration

Ensure that Amazon S3 buckets use Transfer Acceleration feature for faster data transfers.

Addresses: Operational Maturity

S3 Bucket Public FULL_CONTROL Access

Ensure that your AWS S3 buckets are not publicly exposed to the Internet.

Addresses: Security

S3 Bucket Authenticated Users FULL_CONTROL Access

Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs.

Addresses: Security

S3 Bucket Public READ Access

Ensure AWS S3 buckets do not allow public READ access.

Addresses: Security

S3 Bucket Authenticated Users READ Access

Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs.

Addresses: Security

S3 Bucket Public READ_ACP Access

Ensure AWS S3 buckets do not allow public READ_ACP access.

Addresses: Security

S3 Bucket Authenticated Users READ_ACP Access

Ensure AWS S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs.

Addresses: Security

S3 Bucket Public WRITE_ACP Access

Ensure AWS S3 buckets do not allow public WRITE_ACP access.

Addresses: Security

S3 Bucket Authenticated Users WRITE_ACP Access

Ensure AWS S3 buckets do not allow WRITE_ACP access to AWS authenticated users using ACLs.

Addresses: Security

Server Side Encryption

Ensure AWS S3 buckets enforce Server-Side Encryption (SSE).

Addresses: Security

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.