AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
S3 Bucket Changes Alarm
More Info:
AWS S3 Buckets configuration changes should be monitored using CloudWatch alarms. An alarm should be configured to trigger every time an S3 bucket configuration change is made, such as changes to bucket policies, ACLs, or lifecycle configurations.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWS, CBP, SOC2, NIST, AWSWAF, HITRUST, NISTCSF, PCIDSS, CISAWSF, PCI, APRA, MAS, NIST4
Triage and Remediation
Remediation
When you receive an S3 Bucket Changes Alarm, it indicates that there has been a change in the configuration of one of your S3 buckets. Here are the steps to remediate this issue in the AWS Console:
-
Log in to your AWS Management Console and navigate to the CloudWatch dashboard at CloudWatch Console.
-
In the left navigation panel, select Logs.
-
Select the log group created for your CloudTrail trail event logs and click on Create Metric Filter.
-
On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
{
($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) ||
($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) ||
($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) ||
($.eventName = DeleteBucketReplication))
}
This pattern will be used for scanning the AWS CloudTrail logs for relevant event names.
-
Review the metric filter configuration details and then click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page, provide the following:
- In the Filter Name box, enter a unique name (e.g.,
S3BucketConfigChanges). - In the Metric Namespace box, type
CloudTrailMetrics. - In the Metric Name box, type
S3BucketEventCount. - Click Show advanced metric settings to expand the section.
- In the Metric Value box, enter
1.
- In the Filter Name box, enter a unique name (e.g.,
-
Review the details and click Create Filter to generate your new CloudWatch Logs metric filter.
-
Click Create Alarm on the same page:
-
In the Create Alarm dialog box, enter a unique name and description for the alarm.
-
Under Whenever: Metric Name, select
>=(greater than or equal to) and enter1as the threshold value. -
In the Actions section, click the + Notification button, select
State is ALARM, and choose the AWS SNS topic created earlier. -
In the Alarm Preview section, select
5 Minutesfrom the Period dropdown andSumfrom the Statistic list. -
Review the configuration details and click Create Alarm. The new alarm will be listed on the Alarms page.
To remediate the S3 Bucket Changes Alarm using the AWS CLI, follow these steps:
- Run the following command to create the necessary CloudWatch metric filter and associate it with the appropriate Amazon CloudTrail log group:
aws logs put-metric-filter
--region us-east-1
--log-group-name CloudTrail/CloudWatchLogGroup
--filter-name S3BucketConfigChanges
--filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'
--metric-transformations metricName=S3BucketEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
- Run the following command to create the AWS CloudWatch alarm that will fire whenever a configuration change involving an S3 Bucket is made:
aws cloudwatch put-metric-alarm
--region us-east-1
--alarm-name S3BucketConfigChangesAlarm
--alarm-description "Triggered by AWS S3 Bucket config changes."
--metric-name S3BucketEventCount
--namespace CloudTrailMetrics
--statistic Sum
--comparison-operator GreaterThanOrEqualToThreshold
--evaluation-periods 1
--period 300
--threshold 1
--actions-enabled
--alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
You can also use Python to remediate the S3 Bucket Changes Alarm. Below is a script that utilizes the Boto3 library:
import boto3
import json
# Define the S3 bucket name
bucket_name = 'my-bucket'
# Create a client object for S3
s3 = boto3.client('s3')
# Update the bucket policy to restrict public access
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
f"arn:aws:s3:::{bucket_name}/*",
f"arn:aws:s3:::{bucket_name}"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(bucket_policy))
# Update the bucket ACL to restrict public access
bucket_acl = s3.get_bucket_acl(Bucket=bucket_name)
for grant in bucket_acl['Grants']:
if grant['Grantee'].get('URI') == 'http://acs.amazonaws.com/groups/global/AllUsers':
s3.put_bucket_acl(Bucket=bucket_name, ACL='private')
break
Note: Replace my-bucket with the actual name of the S3 bucket.