S3 Bucket Names Should Be DNS-compliant

More Info:

S3 buckets should use DNS-compliant bucket names in order to adhere to AWS best practices and to benefit from the new S3 features such as S3 Transfer Acceleration, to benefit from operational improvements and to receive support for virtual-host style access to buckets.

Risk Level

Low

Address

Operational Maturity, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the S3 bucket name non-compliance issue, you need to follow the below steps using AWS CLI:

Open your terminal or command prompt and install the AWS CLI (if not already installed) by following the instructions provided in the AWS documentation.
After installing AWS CLI, open your terminal or command prompt and enter the following command:

aws s3api put-bucket-acl --bucket BUCKET_NAME --acl public-read

Note: Replace BUCKET_NAME with the name of your S3 bucket.

Once the above command is executed successfully, enter the following command to rename the non-compliant bucket name:

aws s3api copy-object --copy-source BUCKET_NAME/ --bucket NEW_BUCKET_NAME --metadata-directive REPLACE --metadata x-amz-meta-original-name=BUCKET_NAME

Note: Replace BUCKET_NAME with the name of your non-compliant S3 bucket and NEW_BUCKET_NAME with the new DNS-compliant name you want to give to your S3 bucket.

After executing the above command successfully, enter the following command to delete the non-compliant bucket:

aws s3api delete-bucket --bucket BUCKET_NAME

Note: Replace BUCKET_NAME with the name of your non-compliant S3 bucket.

Finally, verify that the new bucket name is DNS-compliant by entering the following command:

aws s3api head-bucket --bucket NEW_BUCKET_NAME

If the above command returns no error, it means that your S3 bucket name is now DNS-compliant.

Using Python

To remediate this misconfiguration in AWS using Python, you can follow these steps:

Install the AWS SDK for Python (boto3) using pip:

pip install boto3

Create an AWS S3 client object:

import boto3

s3 = boto3.client('s3')

List all the S3 buckets in your AWS account:

response = s3.list_buckets()

for bucket in response['Buckets']:
    print(bucket['Name'])

Check if the bucket names are DNS-compliant:

import re

for bucket in response['Buckets']:
    bucket_name = bucket['Name']
    if not re.match("^[a-z0-9][a-z0-9\-]{1,61}[a-z0-9]$", bucket_name):
        print(f"Bucket name {bucket_name} is not DNS-compliant")

If a bucket name is not DNS-compliant, rename the bucket:

new_bucket_name = "new-dns-compliant-bucket-name"
s3.copy_object(Bucket=new_bucket_name, CopySource={"Bucket": bucket_name, "Key": ""})
s3.delete_object(Bucket=bucket_name, Key="")
s3.delete_bucket(Bucket=bucket_name)

Note: Make sure to replace “new-dns-compliant-bucket-name” with a DNS-compliant bucket name of your choice. Also, be aware that renaming a bucket can have implications for any applications or services that rely on the original bucket name.

Additional Reading:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 Bucket Names Should Be DNS-compliant

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: