S3 Buckets Should Have Access Logging Enabled
AWS S3 Server Access Logging feature should be enabled in order to record access requests useful for security audits. By default, server access logging is not enabled for S3 buckets.
AWS S3 Server Access Logging feature should be enabled in order to record access requests useful for security audits. By default, server access logging is not enabled for S3 buckets.
Amazon S3 Block Public Access feature should be enabled for your S3 buckets to restrict public access to all objects available within these buckets, including those that you upload in the future.
S3 buckets should have default encryption (SSE) enabled or use a bucket policy to enforce it. S3 default encryption will enable Amazon to encrypt your S3 data at the bucket level instead of object level in order to protect it from attackers or unauthorized personnel.
Your AWS S3 buckets should have the versioning flag enabled in order to preserve and recover overwritten and deleted S3 objects as an extra layer of data protection and/or data retention.
AWS S3 buckets should enforce encryption of data over the network (as it travels to and from Amazon S3) using Secure Sockets Layer (SSL).
AWS S3 buckets should not be publicly accessible for WRITE actions via S3 access control lists (ACLs), in order to protect your S3 data from unauthorized users.
S3 buckets should not allow WRITE access to AWS authenticated users through S3 ACLs.
S3 buckets should use DNS-compliant bucket names in order to adhere to AWS best practices and to benefit from the new S3 features such as S3 Transfer Acceleration, to benefit from operational improvements and to receive support for virtual-host style access to buckets.
AWS S3 buckets should use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned S3 objects (files).
AWS S3 buckets should not be publicly accessible via bucket policies in order to protect against unauthorized access. Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.
AWS S3 buckets should be configured to use Server-Side Encryption with customer managed CMKs instead of S3-Managed Keys (SSE-S3) in order to obtain a fine-grained control over Amazon S3 data-at-rest encryption and decryption process.
Your Amazon S3 buckets should have lifecycle configuration enabled for security and cost optimization purposes.
S3 buckets with website configuration enabled should be regularly reviewed (informational). By regularly reviewing these S3 buckets you make sure that only the desired buckets are accessible from the website endpoint.
AWS S3 buckets should use Object Lock for data protection and/or regulatory compliance and in order to prevent the objects they store from being deleted.
S3 buckets should be using Transfer Acceleration feature to increase the speed (up to 500%) of data transfers in and out of Amazon S3 using AWS edge network.
There should not be any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access.
AWS S3 buckets should not be granting FULL_CONTROL access to authenticated users (i.e. signed AWS accounts or AWS IAM users) in order to prevent unauthorized access. Exposing your S3 buckets to AWS signed accounts or users can lead to data leaks, data loss and unexpected charges for the S3 service.
AWS S3 buckets should not allow public READ access in order to protect against unauthorized access.
S3 buckets should not allow READ access to AWS authenticated users through ACLs n order to protect your S3 data against unauthorized access.
AWS S3 buckets should not allow public READ_ACP access. Granting public “READ_ACP” access to your S3 buckets can allow everyone on the Internet to see who controls your objects. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing techniques to help them gain access to your S3 data.
AWS S3 buckets should not allow READ_ACP access to AWS authenticated users using ACLs in order to protect against unauthorized access.
AWS S3 buckets should not allow public WRITE_ACP access. Granting public "WRITE_ACP" access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions.
AWS S3 buckets should not allow WRITE_ACP access to AWS authenticated users using ACLs. Granting authenticated "WRITE_ACP" access to your AWS S3 buckets can allow other AWS accounts or IAM users to edit ACL permissions in order to view, upload, modify and delete S3 objects within the buckets without restrictions.
AWS S3 buckets should protect their sensitive data at rest by enforcing Server-Side Encryption (SSE).
If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.