Check for S3 Bucket Public Permissions and Automate Permission Removal #5
Comments
|
This proposed check is implemented in the following PR: |
|
To ensure that public s3 buckets don't have happen in our organisation, we simply used this: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html If public access is blocked at account then trusted advisor s3 check would never fail, so one wouldn't need to have any reactive approach. To ensure no one changes the public access block setting, we set a policy via SCP. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need a check that looks for public S3 read/write permissions and automatically revokes these when found. This check would look for the following public permissions:
Bucket list objects
Bucket write objects (This is high severity)
Bucket read permissions
Bucket write permissions (This is high severity)
For the high severity permissions we should explicitly detail the customer should manually audit the bucket and it's objects to ensure that is has not been compromised.
This automation workflow can follow a similar pattern to the one for Exposed Access Keys linked below:
https://github.com/aws/Trusted-Advisor-Tools/tree/master/ExposedAccessKeys
Let me know what you think about this proposed check.
The text was updated successfully, but these errors were encountered: