AWS S3
About
Monitor S3 buckets for private and public accessibility.
Security
Access Logging Enabled
Check S3 bucket access logging is enabled on the CloudTrail S3 bucket
S3 Buckets Public Access Block
Check the S3 bucket logs are not publicly accessible
S3 Bucket Default Encryption
Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it.
S3 HTTPS Only
Check if S3 buckets have secure transport policy
S3 Does Not Allow Public Writes
Check if S3 buckets have policies which allow public WRITE access
S3 Bucket Authenticated Users WRITE Access
Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs.
S3 Bucket MFA Delete Enabled
Ensure AWS S3 buckets have the MFA Delete feature enabled.
S3 Bucket Public Access Via Policy
Ensure AWS S3 buckets do not allow public access via bucket policies.
S3 Buckets Encrypted with Customer-Provided CMKs
Ensure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs.
S3 Buckets Lifecycle Configuration
Ensure Amazon S3 buckets have lifecycle configuration enabled for security and cost optimization purposes.
S3 Buckets with Website Configuration Enabled
Ensure S3 buckets with website configuration enabled are regularly reviewed (informational).
S3 Object Lock Enabled
Ensure that AWS S3 buckets use Object Lock for data protection and/or regulatory compliance.
S3 Bucket Public FULL_CONTROL Access
Ensure that your AWS S3 buckets are not publicly exposed to the Internet.
S3 Bucket Authenticated Users FULL_CONTROL Access
Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs.
S3 Bucket Public READ Access
Ensure AWS S3 buckets do not allow public READ access.
S3 Bucket Authenticated Users READ Access
Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs.
S3 Bucket Public READ_ACP Access
Ensure AWS S3 buckets do not allow public READ_ACP access.
S3 Bucket Authenticated Users READ_ACP Access
Ensure AWS S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs.
S3 Bucket Public WRITE_ACP Access
Ensure AWS S3 buckets do not allow public WRITE_ACP access.
S3 Bucket Authenticated Users WRITE_ACP Access
Ensure AWS S3 buckets do not allow WRITE_ACP access to AWS authenticated users using ACLs.
Server Side Encryption
Ensure AWS S3 buckets enforce Server-Side Encryption (SSE).
Reliability
S3 Bucket Versioning Enabled
Check if S3 buckets have object versioning enabled
Performance Efficiency
DNS Compliant S3 Bucket Names
Ensure that your AWS S3 buckets are using DNS-compliant bucket names.
S3 Transfer Acceleration
Ensure that Amazon S3 buckets use Transfer Acceleration feature for faster data transfers.
Sources
https://www.cloudanix.com/recipelist/aws/s3publiccheck
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out
this form.
