AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
S3 Bucket Changes Alarm
More Info:
AWS S3 Buckets configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWS, CBP, SOC2, NIST, AWSWAF, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
When you receive an S3 Bucket Changes Alarm, it means that there has been a change in the configuration of one of your S3 buckets. Here are the steps to remediate this issue in AWS Console:
-
Log in to your AWS Management Console and navigate to the S3 service.
-
Locate the bucket that triggered the alarm and click on it.
-
Click on the “Permissions” tab and then click on “Bucket Policy”.
-
Review the bucket policy to identify the misconfiguration that triggered the alarm.
-
Once you have identified the misconfiguration, edit the bucket policy to correct the issue.
-
After making the necessary changes, click on “Save”.
-
Verify that the alarm has been cleared by checking the CloudWatch console.
-
If the alarm persists, review the bucket policy again to ensure that all misconfigurations have been corrected.
-
Once you have confirmed that the alarm has been cleared, you can close the ticket for this issue.
The S3 Bucket Changes Alarm is triggered when there are changes made to the S3 bucket, such as creation, deletion, modification of objects, or changes to bucket policies. To remediate this issue, you can follow the below steps using AWS CLI:
-
Login to your AWS account and open the AWS CLI on your local machine.
-
Run the following command to get the details of the S3 bucket changes alarm:
aws cloudwatch describe-alarms --alarm-names S3BucketChangesAlarm
-
Check the alarm status and make sure it is in the “ALARM” state.
-
To remediate the issue, you need to identify the root cause of the changes made to the S3 bucket. You can review the CloudTrail logs to get more information about the changes made to the S3 bucket.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutObject
-
Once you have identified the root cause of the changes, you can update the S3 bucket policy or access control list (ACL) to restrict access to the bucket.
-
To update the S3 bucket policy, run the following command:
aws s3api put-bucket-policy --bucket <bucket-name> --policy file://policy.json
Note: Replace
<bucket-name>
with the name of your S3 bucket and policy.json with the name of the JSON file containing the updated policy. -
To update the S3 bucket ACL, run the following command:
aws s3api put-bucket-acl --bucket <bucket-name> --acl public-read
Note: Replace
<bucket-name>
with the name of your S3 bucket and public-read with the desired ACL. -
After updating the S3 bucket policy or ACL, monitor the S3 bucket changes alarm to ensure that the issue has been remediated.
aws cloudwatch describe-alarms --alarm-names S3BucketChangesAlarm
-
If the alarm status is still in the “ALARM” state, repeat the above steps to identify and remediate any remaining issues.
The misconfiguration of an S3 bucket changes alarm can be remediated by following these steps:
Step 1: Identify the S3 Bucket Changes Alarm
- Login to the AWS Console
- Navigate to the CloudWatch service
- Click on Alarms
- Look for the S3 Bucket Changes Alarm that has been triggered
Step 2: Update the S3 Bucket Policy
- Navigate to the S3 service
- Click on the bucket that the S3 Bucket Changes Alarm is monitoring
- Click on the Permissions tab
- Click on Bucket Policy
- Check if there is any policy that is allowing public access to the bucket or its contents
- If there is any such policy, update it to restrict public access
Step 3: Update the S3 Bucket ACL
- Click on the Access Control List (ACL) tab
- Check if there is any grant that is allowing public access to the bucket or its contents
- If there is any such grant, update it to restrict public access
Step 4: Remediate using Python
- Use the AWS SDK for Python (Boto3) to write a script that updates the S3 Bucket Policy and ACL to restrict public access
- The following Python code can be used as a template:
import boto3
# Define the S3 bucket name
bucket_name = 'my-bucket'
# Create a client object for S3
s3 = boto3.client('s3')
# Update the bucket policy to restrict public access
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
f"arn:aws:s3:::{bucket_name}/*",
f"arn:aws:s3:::{bucket_name}"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(bucket_policy))
# Update the bucket ACL to restrict public access
bucket_acl = s3.get_bucket_acl(Bucket=bucket_name)
for grant in bucket_acl['Grants']:
if grant['Grantee'].get('URI') == 'http://acs.amazonaws.com/groups/global/AllUsers':
s3.put_bucket_acl(Bucket=bucket_name, ACL='private')
break
Note: Replace my-bucket
with the actual name of the S3 bucket.