threatmodel-aws-s3-1696204322.json

{"metadata": {"provider": "aws", "service": "S3", "service_name": "Amazon Simple Storage Service (Amazon S3)", "version": "20220420", "scf_version": "2022.2.1", "license": "ThreatModel for Amazon Simple Storage Service (Amazon S3), by TrustOnCloud, under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Find latest source at https://github.com/trustoncloud/threatmodel-for-aws-s3", "source": "https://github.com/trustoncloud/threatmodel-for-aws-s3"}, "scorecard": {"identity_management": {"score": "AWS IAM, bucket ACL, object ACL"}, "resource_based": {"score": "Bucket"}, "network_filtering": {"score": "No"}, "encryption_at_rest": {"score": "Yes<br>(SSE-KMS, SSE-S3, SSE-C)"}, "encryption_in_transit": {"score": "Yes, but HTTP supported"}, "aws_cloudformation": {"score": "<a href=\"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_S3.html\">6</a>"}, "aws_tag_based_abac": {"score": "Yes"}, "aws_cloudwatch_events": {"score": "via CloudTrail"}, "aws_vpc_endpoint": {"score": "Yes<br>(Interface + Gateway)"}, "aws_vpc_endpoint_policy": {"score": "Yes"}, "gcp_vpc_service_controls": {"score": "-"}, "number_of_actions": {"score": 188}, "number_of_iam_permissions": {"score": 159}, "number_of_events": {"score": 156}, "event_coverage": {"score": "100.0"}, "api_without_event": {"score": 0}}, "feature_classes": {"S3.FC1": {"order": 1, "name": "Object operations", "class_relationship": [], "description": "You can upload, download, and delete virtually any number of objects to an external S3 bucket for which you are authorized.", "long_description": "You can upload, download, and delete virtually any number of objects to an external S3 bucket for which you are authorized. Amazon S3 Access Control Lists (ACLs) enable you to manage access to objects. Each object has an ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to ensure the requester has the necessary access permissions (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#permissions\">ref</a>)."}, "S3.FC10": {"order": 13, "name": "Bucket policy", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "For your bucket, you can add a bucket policy to grant other AWS accounts or IAM users permissions for the bucket and the objects in it. Any object permissions apply only to the objects that the bucket owner creates.", "long_description": ""}, "S3.FC11": {"order": 15, "name": "Analytics", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can analyze storage access patterns to decide the storage class (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html\">ref</a>).", "long_description": ""}, "S3.FC12": {"order": 16, "name": "Inventory", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can create a report on your storage, including object metadata or versions (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html#storage-inventory-how-to-set-up\">ref</a>).", "long_description": ""}, "S3.FC13": {"order": 17, "name": "Lifecycle", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can lifecycle your data to reduce the storage cost (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html\">ref</a>).", "long_description": ""}, "S3.FC14": {"order": 18, "name": "Metrics", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can configure metrics to get additional insights into your usage (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/user-guide/configure-metrics.html\">ref</a>).", "long_description": ""}, "S3.FC15": {"order": 10, "name": "Replication", "class_relationship": [{"type": "parent", "class": "S3.FC6"}], "description": "Replication enables automatic and asynchronous copying of objects of a bucket into another bucket (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html\">ref</a>).", "long_description": "Replication enables automatic and asynchronous copying of objects of a bucket into another bucket. It can be cross-region or in the same region. Buckets configured for replication can be in the same AWS account or different accounts. It is usually to backup S3 data, data centralization, or multi-region applications."}, "S3.FC16": {"order": 20, "name": "Website", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can host a static website on Amazon S3. On a static website, individual web pages include static content. They might also contain client-side scripts (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html\">ref</a>).", "long_description": ""}, "S3.FC17": {"order": 21, "name": "S3 Object Lock", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can use S3 Object Lock to store objects using a write-once-read-many (WORM) model (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html#object-lock-retention-modes\">ref</a>). Creating a bucket with S3 Object Lock will enable versioning even without permissions.", "long_description": ""}, "S3.FC18": {"order": 23, "name": "Transfer Acceleration", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can use Transfer Acceleration to improve the performance of long-distance transfers (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html\">ref</a>).", "long_description": ""}, "S3.FC19": {"order": 14, "name": "S3 access logging", "class_relationship": [{"type": "parent", "class": "S3.FC8"}, {"type": "parent", "class": "S3.FC10"}], "description": "Server access logging provides detailed records for the requests made to a bucket.", "long_description": "Server access logging provides detailed records for the requests made to a bucket. CloudTrail S3 data events are preferred, due to the more reliable delivery timing, consistency, supporting KMS encryption and S3 Object Lock (<a href=\"https://www.netskope.com/blog/aws-s3-logjam-server-access-logging-vs-object-level-logging\">full comparison</a>), however website endpoint is not recorded on S3 data events, some SIEM modules might be more featured with S3 access logs, and access logging is free beside storage."}, "S3.FC2": {"order": 3, "name": "Object tagging", "class_relationship": [{"type": "parent", "class": "S3.FC1"}, {"type": "usage", "class": "S3.FC5"}], "description": "You can tag objects (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html\">ref</a>).", "long_description": ""}, "S3.FC20": {"order": 24, "name": "Notification", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can receive notifications when certain events happen in your bucket.", "long_description": "You can receive notifications when certain events happen in your bucket. Notifications can be sent cross-account (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html\">ref</a>)."}, "S3.FC21": {"order": 4, "name": "Torrent", "class_relationship": [{"type": "parent", "class": "S3.FC1"}, {"type": "usage", "class": "S3.FC5"}], "description": "You can use the BitTorrent protocol to retrieve objects (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/S3Torrent.html\">ref</a>).", "long_description": "<b>[NOT RECOMMENDED]</b> You can use the BitTorrent protocol to retrieve objects (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/S3Torrent.html\">ref</a>). Only available in the AWS Regions launched before May 30, 2016. The seed rate is 100KB. After April 29, 2022, BitTorrent clients will no longer connect to Amazon S3."}, "S3.FC22": {"order": 28, "name": "CORS", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can create a CORS configuration with rules that identify the origins you will allow to access your bucket, the operations (HTTP methods) supported for each origin, and other operation-specific information.", "long_description": "<b>[NOT RECOMMENDED]</b> To configure your bucket to allow cross-origin requests, you create a CORS configuration, which is an XML document with rules that identify the origins that you will allow to access your bucket, the operations (HTTP methods) that will support for each origin, and other operation-specific information. This feature class is NOT RECOMMENDED to be activated since it is all HTTP. Prefer the usage of CDN (e.g. CloudFront), API Gateway, and/or WAF fronting S3 buckets."}, "S3.FC23": {"order": 29, "name": "Bucket default encryption", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can set default encryption on a bucket so that all new objects are encrypted when stored in the bucket.", "long_description": ""}, "S3.FC24": {"order": 31, "name": "Public Access Block (bucket)", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "S3 Block Public Access (bucket) provides controls at the individual S3 bucket level to ensure objects never have public access.", "long_description": ""}, "S3.FC25": {"order": 32, "name": "Public Access Block (account)", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "S3 Block Public Access (account) provides controls across an entire AWS account to ensure objects never have public access.", "long_description": ""}, "S3.FC26": {"order": 25, "name": "Access point", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "Access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations.", "long_description": "Access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations. Only certain operations and AWS services are compatible (<a href=\"https://docs.amazonaws.cn/en_us/AmazonS3/latest/dev/using-access-points.html#access-points-service-api-support\"). S3 access points aren't currently compatible with Amazon CloudWatch metrics."}, "S3.FC27": {"order": 5, "name": "Batch", "class_relationship": [{"type": "parent", "class": "S3.FC1"}, {"type": "usage", "class": "S3.FC5"}], "description": "S3 Batch Operations performs large-scale Batch Operations on Amazon S3 objects.", "long_description": ""}, "S3.FC28": {"order": 32, "name": "Other uses", "class_relationship": [], "description": "Others can use their S3 service to impact you in some ways.", "long_description": ""}, "S3.FC29": {"order": 22, "name": "Legal hold", "class_relationship": [{"type": "parent", "class": "S3.FC17"}], "description": "A legal hold provides the same protection as a retention period but has no expiration date. S3 Object Lock must be activated on the bucket.", "long_description": "A legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent of retention periods."}, "S3.FC3": {"order": 6, "name": "Object versioning", "class_relationship": [{"type": "parent", "class": "S3.FC1"}, {"type": "usage", "class": "S3.FC5"}], "description": "You can version your objects (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectVersioning.html\">ref</a>).", "long_description": ""}, "S3.FC30": {"order": 30, "name": "S3 Object Ownership", "class_relationship": [{"type": "usage", "class": "S3.FC1"}, {"type": "parent", "class": "S3.FC5"}], "description": "S3 Object Ownership enables bucket owners to automatically assume ownership of objects uploaded to their buckets by other AWS accounts.", "long_description": "Enables bucket owners to automatically assume ownership of objects uploaded to their buckets by other AWS accounts. When the object is Put with an ACL of bucket-owner-full-control, the object will be fully owned by the target bucket owner. If the ACL is added later, the ownership is kept by the object owner (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html\">ref</a>)."}, "S3.FC31": {"order": 19, "name": "S3 Storage Lens", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "S3 Storage Lens provides a single view of object storage usage and activity across your entire S3 storage.", "long_description": ""}, "S3.FC32": {"order": 26, "name": "S3 Object Lambda", "class_relationship": [{"type": "parent", "class": "S3.FC26"}], "description": "S3 Object Lambda enables users to apply their custom code to process the output of a standard S3 request by automatically invoking a Lambda function.", "long_description": ""}, "S3.FC33": {"order": 27, "name": "Multi-Region Access Points", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "S3 Multi-Region Access Points provide a single global endpoint to access a data set that spans multiple S3 buckets in different AWS Regions or in different AWS accounts.", "long_description": ""}, "S3.FC4": {"order": 7, "name": "Tag on versioned objects", "class_relationship": [{"type": "parent", "class": "S3.FC2"}, {"type": "parent", "class": "S3.FC3"}, {"type": "usage", "class": "S3.FC5"}], "description": "You can tag a specific version of an object (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html\">ref</a>).", "long_description": ""}, "S3.FC5": {"order": 2, "name": "Bucket", "class_relationship": [{"type": "parent", "class": "S3.FC1"}], "description": "To upload your data into your AWS account, you must create an S3 bucket in one of the AWS Regions.", "long_description": ""}, "S3.FC6": {"order": 9, "name": "Bucket versioning", "class_relationship": [{"type": "parent", "class": "S3.FC3"}, {"type": "parent", "class": "S3.FC5"}], "description": "Versioning is a means of keeping multiple variants of an object in the same bucket (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html\">ref</a>).", "long_description": "Versioning is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With versioning, you can easily recover from unintended user actions and application failures (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html\">ref</a>)."}, "S3.FC7": {"order": 11, "name": "Bucket tag", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "You can tag buckets (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/CostAllocTagging.html\">ref</a>).", "long_description": ""}, "S3.FC8": {"order": 12, "name": "Bucket ACL", "class_relationship": [{"type": "parent", "class": "S3.FC5"}], "description": "Amazon S3 Access Control Lists (ACLs) enable you to manage access to buckets (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#permissions\">ref</a>).", "long_description": "<b>[NOT RECOMMENDED]</b> Amazon S3 Access Control Lists (ACLs) enable you to manage access to buckets. Each bucket has an ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to ensure the requester has the necessary access permissions (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#permissions\">ref</a>)."}, "S3.FC9": {"order": 8, "name": "ACL on versioned objects", "class_relationship": [{"type": "parent", "class": "S3.FC3"}, {"type": "parent", "class": "S3.FC9"}], "description": "Amazon S3 Access Control Lists (ACLs) enable you to manage access to object versions (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#permissions\">ref</a>).", "long_description": ""}}, "threats": {"S3.T1": {"feature_class": "S3.FC5", "name": "Bucket takeover to gather data", "description": "Bucket names are globally unique and can be recreated after 1 hour from deletion in another AWS account. An attacker can recreate the same bucket name of a deleted bucket you used to own to collect any new data uploaded by a non-updated party, do a DNS takeover (using a non-deleted CNAME / CloudFront origin to the bucket), or use remaining permissions to exfiltrate data.", "access": {"OPTIONAL": "s3:DeleteBucket"}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1586", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.2}, "S3.T2": {"feature_class": "S3.FC15", "name": "Unauthorized access to data or loss of control of SSE-C encrypted data via bucket replication", "description": "Replication allows you to replicate objects and their metadata and change ownership. The configuration only focuses on new objects (old objects replication requires S3 Batch Replication). An attacker can configure replication on a bucket to replicate objects (or its metadata or tagging) in a bucket they control to exfiltrate data. As objects encrypted via SSE-C are also replicated without additional configuration or access requirements, an attacker can then decrypt it in their own bucket if they have the SSE-C key.", "access": {"AND": ["s3:PutReplicationConfiguration", "iam:PassRole"]}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1048", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.5}, "S3.T3": {"feature_class": "S3.FC1", "name": "Exfiltrate your data hosted on an external bucket by using compromised IAM credentials accessed over the Internet", "description": "IAM credentials can be compromised. An attacker can use a compromised but authorized credential to download your object from an external bucket via the public endpoint or their VPC endpoint.", "access": {"UNIQUE": "s3:GetObject"}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1567", "cvss": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.7}, "S3.T4": {"feature_class": "S3.FC8", "name": "Grant unauthorized access to a private bucket by changing bucket ACL", "description": "Bucket ACL can be used to give access to the bucket information, list the objects, and overwrite/delete objects. An attacker can change the bucket ACL to destroy or modify data, or exfiltrate data via the object name (1KB).", "access": {"UNIQUE": "s3:PutBucketAcl"}, "hlgoal": "DataManipulation", "mitre_attack": "TA0040,T1486", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.2}, "S3.T5": {"feature_class": "S3.FC1", "name": "Unauthorized upload of a private object in an accessible bucket (e.g. public) you do not own", "description": "S3 buckets can be public for a legitimate reason. An attacker (or someone by negligence) can upload sensitive data in an accessible bucket (e.g. public) you do not own to make it accessible to exfiltrate data.", "access": {"UNIQUE": "s3:PutObject"}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1074", "cvss": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.7}, "S3.T6": {"feature_class": "S3.FC1", "name": "Unauthorized modification of an object to become public or accessible in a private bucket you do not own by changing object ACL", "description": "Bucket authority only prevails on object ACL when the object access is explicitly denied (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html\">ref</a>). An attacker (or someone by negligence) can change the object ACL to make it public or accessible for themselves.", "access": {"OR": ["s3:PutObjectAcl", "PutObjectVersionAcl"]}, "hlgoal": "DataTheft", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.2}, "S3.T7": {"feature_class": "S3.FC1", "name": "Exfiltrate data to an attacker bucket via a public endpoint", "description": "S3 allows IAM entities to upload data in a bucket in other AWS accounts, if they have the IAM permissions. An attacker can use one of your IAM entities to upload data to one of their buckets. If the attacker does not control object ACL, they can use the name of objects (1KB).", "access": {"AND": ["s3:PutObject", {"OPTIONAL": "s3:PutObjectAcl"}]}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1537", "cvss": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.7}, "S3.T8": {"feature_class": "S3.FC1", "name": "Exfiltrate data by using an S3 VPC endpoint to upload data to an attacker bucket using an internal IAM entity", "description": "VPC endpoints for S3 allow IAM entities to connect from a VPC to any S3 bucket without an Internet Gateway. An attacker can exfiltrate pre-collected data to an external S3 bucket via a VPC endpoint, using an internal IAM entity they control. If the attacker does not control object ACL, they can use the name of objects (1KB).", "access": {"AND": ["s3:PutObject", {"OPTIONAL": "s3:PutObjectAcl"}]}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1537", "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.5}, "S3.T9": {"feature_class": "S3.FC1", "name": "Exfiltrate data by uploading it to an attacker bucket using a non-authenticated user or an unauthorized external IAM entity via one of your S3 VPC endpoints", "description": "VPC endpoints for S3 allow any entity to connect from a VPC to any S3 bucket without an Internet Gateway. An attacker can exfiltrate data to an external S3 bucket via one of your VPC endpoints, using a non-authenticated user or their own external IAM entity. Note that some external IAM entities might be authorized if provided by one of your business partners.", "access": {}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1537", "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.2}, "S3.T10": {"feature_class": "S3.FC28", "name": "Exfiltrate data by using the public endpoint to upload data in an attacker bucket, using external credentials", "description": "AWS authenticates per AWS account. An attacker can use their own credentials to exfiltrate data to external S3 buckets through the S3 public endpoint. It can be a non-authenticated user as well.", "access": {}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1537", "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.2}, "S3.T11": {"feature_class": "S3.FC5", "name": "Move prod data in non-prod environment", "description": "Multiple types of environments are usually operated in AWS. An attacker can move the data from a secure location (e.g. production) to a less secure location (e.g. dev).", "access": {"UNIQUE": "s3:GetObject"}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1074", "cvss": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.4}, "S3.T12": {"feature_class": "S3.FC1", "name": "Intercept data in transit to an external bucket", "description": "S3 allows communication over HTTP. An attacker can intercept the traffic you send to an external bucket, in order to read or modify the data.", "access": {"UNIQUE": "s3:any"}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1557", "cvss": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.6}, "S3.T13": {"feature_class": "S3.FC16", "name": "Read data in transit on the website endpoint", "description": "S3 website endpoint is serving HTTP only. An attacker can intercept the traffic you send to an external bucket to read the data.", "access": {}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1557", "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 3.1}, "S3.T14": {"feature_class": "S3.FC5", "name": "Use a bucket to upload malware or modify an object to include malware", "description": "S3 buckets are commonly used to distribute software. An attacker can upload malware in a bucket to better position it for later use or directly change an object to include malware (<a href=\"https://www.securityweek.com/exposed-twilio-sdk-abused-malvertising-attack\">example</a>).", "access": {"UNIQUE": "s3:PutObject"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0001,T1195", "cvss": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "retired": "false", "cvss_severity": "High", "cvss_score": 7.3}, "S3.T15": {"feature_class": "S3.FC16", "name": "Embed client-side script malware in bucket website", "description": "S3 website enables users to be served client-side scripts (e.g. JavaScript). An attacker can upload a client-side script with malware (e.g. cryptomining) to the visitor.", "access": {"UNIQUE": "s3:PutObject"}, "hlgoal": "FinancialGain", "mitre_attack": "TA0002,T1203", "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.5}, "S3.T16": {"feature_class": "S3.FC5", "name": "Files encrypted for ransomware", "description": "S3 provides several types of encryption where the key is not operated by AWS (e.g. SSE-KMS with Bring Your Own Key). An attacker can encrypt all the data stored in S3 to ransom the data owner to get the decryption key (<a href=\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector\">blog</a>). Alternatively, an attacker can change the default encryption key, for a similar effect on any new data uploaded.", "access": {"AND": ["s3:GetObject", "s3:PutObject"]}, "hlgoal": "FinancialGain", "mitre_attack": "TA0040,T1486", "cvss": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.3}, "S3.T17": {"feature_class": "S3.FC1", "name": "Destroy or modify primary data", "description": "S3 provides high durability by design (11 9s). However, data can still be deleted by the customer. An attacker (or someone by negligence) can use its access to destroy (or modify) primary data located on S3, affecting the ability of the business to operate (for example, <a href=\"https://www.networkcomputing.com/cloud-infrastructure/code-spaces-lesson-cloud-backup\">Code Spaces</a>).", "access": {"AND": [{"OR": ["s3:DeleteObject", "s3:PutObject"]}, {"OPTIONAL": "s3:DeleteObjectVersion"}, {"OPTIONAL": "s3:BypassGovernanceMode"}]}, "hlgoal": "DoS", "mitre_attack": "TA0040,T1485", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.1}, "S3.T18": {"feature_class": "S3.FC7", "name": "Exfiltrate data by using tags", "description": "Objects and buckets can have tags. An attacker can use those features to exfiltrate data.", "access": {"AND": [{"OR": ["GetObjectTagging", "s3:GetObjectVersionTagging"]}, {"OR": ["s3:PutObjectTagging", "s3:PutObjectVersionTagging"]}]}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1020", "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 3.3}, "S3.T19": {"feature_class": "S3.FC28", "name": "Recon of AWS root account emails using the email ACL grantee feature", "description": "S3 allows you to add root account emails in ACL (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#specifying-grantee\">ref</a>), and as well resolve the given canonical ID into an AWS account ID (via a bucket policy, which automatically resolves a canonical ID into an ARN). An attacker can do trial-and-error to discover existing AWS root account emails and related AWS account ID (even if you do not use the region where the feature is available); and use this information to launch another attack (e.g. phishing).", "access": {}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0043,T1589", "cvss": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.0}, "S3.T20": {"feature_class": "S3.FC10", "name": "Use CloudFront to access private bucket", "description": "CloudFront distributions can use S3 buckets or access points as their origin. An attacker can connect a CloudFront distribution to a private S3 bucket to get access to it. Note: S3 resource policies can allow a cloudfront.amazonaws.com principal which could allow any distributions if not restricted.", "access": {"OPTIONAL": {"OR": ["s3:PutBucketPolicy", "s3:PutAccessPointPolicy", "s3:PutAccessPointPolicyForObjectLambda"]}}, "hlgoal": "DataTheft", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.5}, "S3.T21": {"feature_class": "S3.FC1", "name": "Exfiltrate data stored on S3 via AWS services", "description": "Number of AWS services are using S3 for storage, including storing in cross-account S3 buckets. Services with IAM roles (e.g. SageMaker) will give ownership to the target AWS account, removing ownership protection. An attacker can use those services to exfiltrate data.", "access": {"OPTIONAL": "s3:PutObjectAcl"}, "hlgoal": "DataTheft", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.8}, "S3.T22": {"feature_class": "S3.FC5", "name": "Hotlinking content from S3 bucket", "description": "S3 charges for hosting and data transfer out. An attacker can hotlink your content hosted on S3 on another page to avoid paying the S3 bills (<a href=\"https://aws.amazon.com/blogs/security/how-to-prevent-hotlinking-by-using-aws-waf-amazon-cloudfront-and-referer-checking/\">ref</a>).", "access": {}, "hlgoal": "FinancialDrain", "mitre_attack": "TA0040,T1496", "cvss": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 3.5}, "S3.T23": {"feature_class": "S3.FC28", "name": "Phishing using trademarks", "description": "S3 provides URLs to buckets using the bucket name (i.e. \"<i>mybucket.s3.amazonaws.com</i>\"). An attacker can create a bucket with the name of your trademark to phish users.", "access": {}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1056", "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 3.1}, "S3.T24": {"feature_class": "S3.FC28", "name": "Recon on valid AWS account or IAM principals", "description": "AWS provides error messages in the S3 bucket policy that can be used for basic recon. An attacker can discover whether an AWS account with a specific AWS account ID or AWS IAM principal exists by modifying the S3 policy to grant some rights to the said AWS account/IAM principal.", "access": {}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0043,T1589", "cvss": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.0}, "S3.T25": {"feature_class": "S3.FC13", "name": "Delete objects by using lifecycle", "description": "Lifecycle allows you to delete objects after its configured expiry. An attacker can use a lifecycle configuration to destroy data.", "access": {"UNIQUE": "s3:PutLifecycleConfiguration"}, "hlgoal": "DataManipulation", "mitre_attack": "TA0040,T1485", "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.5}, "S3.T26": {"feature_class": "S3.FC1", "name": "Unauthorized object restored into an unauthorized bucket", "description": "Objects can be stored in S3 Glacier. An attacker can restore an object to an unauthorized S3 bucket to collect or exfiltrate data.", "access": {"UNIQUE": "s3:RestoreObject"}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1020", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.5}, "S3.T27": {"feature_class": "S3.FC5", "name": "Abuse MD5 etag", "description": "Etags include the MD5 of the file but not consistently and can be used by developers to verify the integrity of a file. An attacker can affect an upload function to change the etag of a file to disrupt a workflow downstream.", "access": {}, "hlgoal": "DataManipulation", "mitre_attack": "TA0040,T1565", "cvss": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 1.8}, "S3.T28": {"feature_class": "S3.FC26", "name": "Unauthorized collection of data by swapping access point", "description": "Access points can be deleted and recreated with the same name, and therefore the same ARN. An attacker can delete an access point and recreate the same, on a bucket they control to collect/modify data; or make it accessible over the Internet.", "access": {"AND": ["s3:CreateAccessPoint", "s3:DeleteAccessPoint"]}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1056", "cvss": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.6}, "S3.T29": {"feature_class": "S3.FC16", "name": "Clickjacking on S3 website", "description": "S3 does not enforce certain security headers by default. An attacker can use an iFrame on your website to trick users to interact with their own scripts.", "access": {}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0040,T1496", "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.2}, "S3.T30": {"feature_class": "S3.FC5", "name": "Use AWS services to access data on S3", "description": "Number of AWS services can access S3 to execute their functions. An attacker can use them to collect data, using their service role or service-linked roles.", "access": {"UNIQUE": "iam:PassRole"}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1530,T1119", "cvss": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.4}, "S3.T31": {"feature_class": "S3.FC1", "name": "Upload in an authorized external bucket but an incorrect AWS account", "description": "Bucket names are globally unique. An attacker can take over a legitimate external bucket and deceive you into sending data to their bucket.", "access": {"UNIQUE": "s3:PutObject"}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1537,T1567", "cvss": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.0}, "S3.T32": {"feature_class": "S3.FC28", "name": "Recon on the AWS Region of a bucket", "description": "Error messages can give some information about specific buckets. An attacker who knows the bucket name can find its AWS Region. To find the AWS Region, use \"aws s3 presign bucket-name/whatever\", go to the presign link, and the error message will give you the region, if not in the right region.", "access": {}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0043,T1590", "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.3}, "S3.T33": {"feature_class": "S3.FC2", "name": "Gain access by modifying or deleting important object tags", "description": "Tags can be used for various reasons, including security classification or access management (via ABAC). An attacker can change the tagging of an object to another value enabling them to execute another attack.", "access": {"OR": ["s3:PutObjectTagging", "s3:DeleteObjectTagging"]}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0004,T1548", "cvss": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.4}, "S3.T34": {"feature_class": "S3.FC5", "name": "Intercept data in transit to an internal bucket", "description": "S3 allows communication over HTTP. An attacker can intercept the traffic you send on an internal bucket, in order to read or modify the data.", "access": {}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1557", "cvss": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.6}, "S3.T35": {"feature_class": "S3.FC1", "name": "Use of less secure or old S3 features", "description": "S3 was launched in 2006, and its features have evolved. An attacker can use older features that have been proven less secure by AWS (e.g. certain API configuration, <a href=\"https://aws.amazon.com/blogs/aws/amazon-s3-update-sigv2-deprecation-period-extended-modified/\">SigV2</a>, path-style model), but are still maintained for retro-compatibility.", "access": {"UNIQUE": "s3:deprecated"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0011,T1102", "cvss": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 1.9}, "S3.T36": {"feature_class": "S3.FC5", "name": "Object made public or accessible in a private bucket you own by changing object ACL", "description": "Bucket authority only prevails on object ACL when the object access is explicitly denied by the bucket authority (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html\">ref</a>). An attacker (or someone by negligence) can change the object ACL to make the object public or accessible for themselves to exfiltrate or modify the data.", "access": {"UNIQUE": "s3:PutObjectAcl"}, "hlgoal": "DataTheft", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.9}, "S3.T37": {"feature_class": "S3.FC10", "name": "Grant unauthorized access to a private bucket by changing bucket policy", "description": "Bucket policy can enable access to objects owned by the bucket. An attacker (or someone by negligence) can change the bucket policy and make the content accessible (via public endpoints, cross-account VPC endpoints, or cross-account access point).", "access": {"UNIQUE": "s3:PutBucketPolicy"}, "hlgoal": "DataTheft", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.9}, "S3.T38": {"feature_class": "S3.FC10", "name": "Reduce bucket security by deleting the bucket policy", "description": "Bucket policy can deny access to objects, as it supersedes the object authority. An attacker (or someone by negligence) can delete the bucket policy and make the content less secure.", "access": {"UNIQUE": "s3:DeleteBucketPolicy"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0004,T1548", "cvss": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.4}, "S3.T39": {"feature_class": "S3.FC5", "name": "Exfiltrate data by using compromised IAM credentials from the Internet", "description": "IAM credentials can be compromised (directly or using <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html\">pre-signed URL</a>). An attacker can use a compromised but authorized IAM credential to download your object from an internal bucket via the public endpoint (using or not their own VPC endpoint).", "access": {}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1567", "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "retired": "false", "cvss_severity": "High", "cvss_score": 7.5}, "S3.T40": {"feature_class": "S3.FC5", "name": "Increase bill by creating incomplete multipart uploads", "description": "By default, when a multipart upload is initiated but not completed, S3 will keep it (<a href=\"https://www.reddit.com/r/aws/comments/immer3/protip_watch_out_for_stranded_multipart_uploads_i/\">ref</a>). An attacker can upload a large amount of data without completing it while being hard to detect.", "access": {"UNIQUE": "s3:PutObject"}, "hlgoal": "FinancialDrain", "mitre_attack": "TA0042,T1586", "cvss": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.3}, "S3.T41": {"feature_class": "S3.FC20", "name": "Exfiltrate data via event notification", "description": "Event notification sends the key to any configured SQS, SNS or Lambda (cross-account), or EventBridge (same account). An attacker can use the name of objects (1KB) to exfiltrate data.", "access": {"UNIQUE": "s3:PutBucketNotification"}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1537,T1020", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.4}, "S3.T42": {"feature_class": "S3.FC12", "name": "Exfiltrate data via inventory", "description": "Inventory sends the object names (i.e. keys) to any configured S3 bucket. An attacker can use the name of objects (1KB) to exfiltrate data.", "access": {"UNIQUE": "s3:PutBucketInventory"}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1020", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.4}, "S3.T43": {"feature_class": "S3.FC1", "name": "Loss of ownership of an object", "description": "S3 Object Ownership enables a bucket receiver to convert a bucket-owner-full-control ACL into an ownership transfer (for a new object); additionally, a bucket can convert all the objects to be owned by the bucket owner. An attacker can modify the receiver bucket to remove your object ACL control on an object and remove your access to this object.", "access": {"OPTIONAL": "s3:PutBucketOwnershipControls"}, "hlgoal": "DataManipulation", "mitre_attack": "TA0040,T1531", "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "retired": "false", "cvss_severity": "High", "cvss_score": 7.1}, "S3.T44": {"feature_class": "S3.FC27", "name": "Exfiltrate, modify or delete objects using Batch", "description": "S3 Batch Operations require an IAM role (with proper trust policy), then can run operations including replicating existing objects, copying, or replacing/deleting object tags. An attacker can use Batch copy or modify objects to exfiltrate or change the access management of an object (if relying on a tag).", "access": {"AND": ["s3:CreateJob", "iam:PassRole"]}, "hlgoal": "DataManipulation", "mitre_attack": "TA0040,T1565", "cvss": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.2}, "S3.T45": {"feature_class": "S3.FC1", "name": "Exfiltrate data via an ungoverned S3 endpoint", "description": "S3 VPC endpoints can be either Interface or Gateway. An attacker can create a second endpoint to create an ungoverned exfiltration vector.", "access": {"UNIQUE": "ec2:CreateVpcEndpoint"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0042,T1584", "cvss": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 1.9}, "S3.T46": {"feature_class": "S3.FC32", "name": "Hijack connection with an Object Lambda", "description": "Object Lambda is invoked between the access point and the object. An attacker can configure a Lambda to modify, snoop, or exfiltrate data.", "access": {"OR": ["s3:CreateAccessPointForObjectLambda", "s3:PutAccessPointConfigurationForObjectLambda"]}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1020", "cvss": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.7}, "S3.T47": {"feature_class": "S3.FC5", "name": "Increase bill by restoring a large amount of data", "description": "Restore cost can be amplified by the size and the type (i.e. expedited). An attacker can restore lots of data to generate costs.", "access": {"UNIQUE": "s3:RestoreObject"}, "hlgoal": "FinancialDrain", "mitre_attack": "TA0042,T1586", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.7}, "S3.T48": {"feature_class": "S3.FC6", "name": "Affect data protection by removing versioning", "description": "Versioning can be used as the first level of integrity protection. An attacker can suspend versioning to affect the data protection of a bucket.", "access": {"UNIQUE": "s3:PutBucketVersioning"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0040,T1490", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.7}, "S3.T49": {"feature_class": "S3.FC15", "name": "Affect data protection by removing replication", "description": "Replication can be used as a level of integrity protection and backup. An attacker can remove replication to affect the data protection.", "access": {"UNIQUE": "s3:PutReplicationConfiguration"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0040,T1490", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.7}, "S3.T50": {"feature_class": "S3.FC8", "name": "DoS by blocking traffic using bucket ACL", "description": "Bucket ACL can allow access (e.g. for CloudFront access logs). An attacker can remove an existing permission to deny legitimate access to the bucket.", "access": {"UNIQUE": "s3:PutBucketAcl"}, "hlgoal": "DoS", "mitre_attack": "TA0040,T1531", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.4}, "S3.T51": {"feature_class": "S3.FC19", "name": "Evade detection by disabling S3 access logs via bucket ACL change", "description": "S3 access logs can be used by SIEM to detect abnormal behaviors. An attacker can disable S3 access logs via bucket ACL changes on the logging destination bucket to evade detection.", "access": {"UNIQUE": "s3:PutBucketAcl"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0005,T1564", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.7}, "S3.T52": {"feature_class": "S3.FC24", "name": "Reduce bucket security by modify the bucket's Public Access Block", "description": "Bucket Public Access Block protects individual buckets from leakage (e.g. object ACL set to public). An attacker can remove this protection by modifying the bucket Public Access Block.", "access": {"UNIQUE": "s3:PutBucketPublicAccessBlock"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.9}, "S3.T53": {"feature_class": "S3.FC25", "name": "Reduce bucket security by modify the account's Public Access Block", "description": "Account Public Access Block protects all buckets of an AWS account from leakage (e.g. object ACL set to public). An attacker can remove this protection by modifying the account's Public Access Block.", "access": {"UNIQUE": "s3:PutAccountPublicAccessBlock"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.9}, "S3.T54": {"feature_class": "S3.FC26", "name": "Grant unauthorized access to a bucket by changing/deleting access point policy", "description": "Access point policy can enable access to objects owned by the bucket. An attacker (or someone by negligence) can change the access point policy and make the content accessible.", "access": {"OR": ["s3:PutAccessPointPolicy", "s3:DeleteAccessPointPolicy", "s3:PutAccessPointPublicAccessBlock"]}, "hlgoal": "DataTheft", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.8}, "S3.T55": {"feature_class": "S3.FC33", "name": "Grant unauthorized access to buckets by changing the Multi-Region Access Point policy", "description": "Multi-Region Access Point policy can enable access to objects owned by the bucket. An attacker (or someone by negligence) can change the Multi-Region Access Point policy and make the content accessible.", "access": {"UNIQUE": "s3:PutMultiRegionAccessPointPolicy"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0005,T1562", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 6.8}, "S3.T56": {"feature_class": "S3.FC33", "name": "Gain unauthorized access to buckets trusting all Multi-Region Access Points", "description": "Buckets used by Multi-Region Access Points can be configured to delegate their access to any MRAP using the condition \"s3:DataAccessPointAccount\". An attacker can create an MRAP, add any misconfigured bucket, and gain access to it.", "access": {"AND": ["s3:CreateMultiRegionAccessPoint", "s3:PutMultiRegionAccessPointPolicy"]}, "hlgoal": "DataTheft", "mitre_attack": "TA0009,T1530", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 5.7}, "S3.T57": {"feature_class": "S3.FC28", "name": "Uncontrolled change in IAM managed policies", "description": "AWS managed policies can be attached to your IAM entities, but their permissions are managed by AWS. An attacker (including AWS insider via a <a href=\"https://aws.amazon.com/security/security-bulletins/AWS-2021-007/\">service-linked role</a>) can use an over-privileged managed permission to execute an attack.", "access": {}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0003,T1098", "cvss": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 3.0}, "S3.T58": {"feature_class": "S3.FC19", "name": "Evade detection by disabling S3 access logs via bucket policy change/removal", "description": "S3 access logs can be used by SIEM to detect abnormal behaviors. An attacker can disable S3 access logs via bucket policy changes on the logging destination bucket to evade detection.", "access": {"OR": ["s3:PutBucketPolicy", "s3:DeleteBucketPolicy"]}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0005,T1564", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.7}, "S3.T59": {"feature_class": "S3.FC19", "name": "Evade detection by modifying S3 access logs", "description": "S3 access logs can be used by SIEM to detect abnormal behaviors. An attacker can modify or disable S3 access logs to evade detection.", "access": {"UNIQUE": "s3:PutBucketLogging"}, "hlgoal": "LaunchAttack", "mitre_attack": "TA0005,T1564", "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "retired": "false", "cvss_severity": "Low", "cvss_score": 2.7}, "S3.T60": {"feature_class": "S3.FC26", "name": "Create an exfiltration vector via cross-account access point", "description": "Access points from a given AWS account can be connected to a cross-account bucket. An attacker can create an access point connected to a bucket they control to exfiltrate data.", "access": {"UNIQUE": "s3:CreateAccessPoint"}, "hlgoal": "DataTheft", "mitre_attack": "TA0010,T1537", "cvss": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "retired": "false", "cvss_severity": "Medium", "cvss_score": 4.5}}, "control_objectives": {"S3.CO1": {"description": "Enforce encryption-in-transit", "scf": "CRY-03,NET-14"}, "S3.CO2": {"description": "Block S3 endpoints in your corporate perimeter security", "scf": "END-01"}, "S3.CO3": {"description": "Enable CloudTrail S3 data events", "scf": "MON-01,MON-03,MON-08"}, "S3.CO4": {"description": "Monitor S3 with Amazon GuardDuty and Macie", "scf": "MON-01,MON-03,MON-08"}, "S3.CO5": {"description": "Identify and ensure the protection of all external buckets hosting your objects", "scf": "DCH-14,IAC-10,TPM-03,DCH-22"}, "S3.CO6": {"description": "Model the threats on all AWS services accessing S3", "scf": "CPL-02,RSK-06"}, "S3.CO7": {"description": "Limit and monitor access via S3 VPC endpoints", "scf": "IAC-01"}, "S3.CO8": {"description": "Limit the access to the IAM actions required to execute the threats", "scf": "IAC-01,IAC-03,IAC-16,IAC-20,IAC-21,MON-03,MON-16"}, "S3.CO9": {"description": "Block requests with KMS keys from unauthorized AWS account(s)", "scf": "CRY-09"}, "S3.CO10": {"description": "Block changes to make an object public via object ACL", "scf": "IAC-20"}, "S3.CO11": {"description": "Prevent deletion of buckets", "scf": "IAC-01,MON-08"}, "S3.CO12": {"description": "Enforce good coding practice", "scf": "IAO-04,PRM-07,TDA-20"}, "S3.CO13": {"description": "Block direct public access", "scf": "IAC-20,NET-04"}, "S3.CO14": {"description": "Block bucket ACL", "scf": "IAC-01"}, "S3.CO15": {"description": "Identify and ensure the protection of all internal buckets hosting your objects", "scf": "DCH-14,IAC-10,DCH-22"}, "S3.CO16": {"description": "Enforce encryption-at-rest", "scf": "CRY-01,CRY-09,DCH-23"}, "S3.CO17": {"description": "Protect primary data against loss", "scf": "MON-03,MON-08,BCD-11"}, "S3.CO18": {"description": "Encrypt or tokenize critical data", "scf": "CRY-01,CRY-09"}, "S3.CO19": {"description": "Have a process to apply legal hold", "scf": "IRO-08"}, "S3.CO20": {"description": "Use S3 Object Lock to protect data integrity", "scf": "IRO-08"}, "S3.CO21": {"description": "Remove incomplete multipart uploads", "scf": "SEA-07"}, "S3.CO22": {"description": "Block deprecated actions", "scf": "IAC-01"}, "S3.CO23": {"description": "Block all requests not using SigV4", "scf": "IAC-01"}, "S3.CO24": {"description": "Block all requests not using HTTP authorization header, if not explicitly authorized", "scf": "IAC-01"}, "S3.CO25": {"description": "Restrict bucket replication", "scf": "MON-01,MON-03,MON-08,IAC-01"}, "S3.CO26": {"description": "Scan input/output objects for malware", "scf": "END-04"}, "S3.CO27": {"description": "Control event receivers", "scf": "CHG-02,CHG-04"}, "S3.CO28": {"description": "Control where the inventory is stored", "scf": "CHG-02,CHG-04"}, "S3.CO29": {"description": "Limit access from only authorized VPCs", "scf": "IAC-01,IAC-21"}, "S3.CO30": {"description": "Control CloudFront access", "scf": "WEB-02"}, "S3.CO31": {"description": "Protect and/or claim your domains and trademarks/copyrights", "scf": "END-08"}, "S3.CO32": {"description": "Restrict access point access to VPC when in use", "scf": "IAC-01"}, "S3.CO33": {"description": "Control IAM roles used for Batch", "scf": "IAC-01,IAC-20,IAC-21,MON-08"}, "S3.CO34": {"description": "Enforce only authorized Object Lambda Access Point and associated access", "scf": "IAC-01,IAC-20,IAC-21"}, "S3.CO35": {"description": "Deploy only authorized S3 website and are placed behind a CDN", "scf": "IAC-01,IAC-20,IAC-21"}, "S3.CO36": {"description": "Use an unguessable naming convention", "scf": "TDA-20"}, "S3.CO37": {"description": "Disabling ACLs for all buckets", "scf": "IAC-01,IAC-20"}, "S3.CO38": {"description": "Ensure all requests are blocked from unauthorized service roles", "scf": "IAC-01,IAC-20,IAC-21,MON-08"}, "S3.CO39": {"description": "Enforce S3 access logging", "scf": "MON-01,MON-08"}, "S3.CO40": {"description": "Restrict access points to authorized AWS accounts", "scf": "IAC-01"}}, "controls": {"S3.C1": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO1", "retired": "false", "assured_by": "S3.C2", "depends_on": "S3.C119", "description": "Block all unencrypted requests and unauthorized TLS version(s) from IAM entities you control (e.g. by denying all unencrypted requests with the condition \"aws:SecureTransport\" = False, or by using \"s3:TlsVersion\" !=<i>authorized TLS version(s)</i>, using an SCP on your AWS Organization root node).", "testing": "Make an unencrypted S3 API call; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T12", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T34", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 1, "queryable_id": 1}, "S3.C2": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO1", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify the control blocking unencrypted requests and unauthorized TLS version(s) from IAM entities you control (e.g. an SCP on your AWS Organizations root node) is properly implemented.", "testing": "Remove the control blocking unencrypted requests and unauthorized TLS version(s) (e.g. the SCP on your root node); it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 1, "queryable_id": 2}, "S3.C3": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO1", "retired": "false", "assured_by": "S3.C5", "depends_on": "S3.C119", "description": "Block all unencrypted requests and unauthorized TLS version(s) from VPC endpoints you control (e.g. by denying all requests with the condition \"aws:SecureTransport\" = False, or by using \"s3:TlsVersion\" != <i>authorized TLS version(s)</i>, on the VPC endpoint policy).", "testing": "Make an unencrypted AWS API call from one of your VPCs with VPC endpoint; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T12", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T34", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 1, "queryable_id": 3}, "S3.C4": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO1", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor and investigate that all requests made with HTTP (e.g., via CloudTrail S3 data events with the lack of additionalEventData.CipherSuite).", "testing": "Make an unencrypted AWS API call from one of your VPCs with VPC endpoint; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T12", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T34", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 1, "queryable_id": 4}, "S3.C5": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO1", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify a statement exists on all your VPC endpoint policy denying all requests with the condition \"aws:SecureTransport\" = False.", "testing": "Create/remove the statement on a VPC endpoint policy denying 1) all unencrypted requests or 2) unauthorized TLS version(s); it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 1, "queryable_id": 5}, "S3.C6": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO1", "retired": "false", "assured_by": "S3.C7", "depends_on": "S3.C119", "description": "Block all unencrypted requests to S3 bucket you control (e.g. by denying all requests with the condition \"aws:SecureTransport\" = False, or by using \"s3:TlsVersion\" != <i>authorized TLS version(s)</i>, on the S3 bucket policy).", "testing": "Make an unencrypted AWS API call to a bucket you control; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T34", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 1, "queryable_id": 6}, "S3.C7": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO1", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all S3 bucket policies block unencrypted traffic (e.g. using the AWS Config rule: <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html\">S3_BUCKET_SSL_REQUESTS_ONLY</a>) and unauthorized version(s) of TLS.", "testing": "Remove the statement on a S3 bucket policy 1) denying all unencrypted requests and 2) denying unauthorized TLS versions; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 1, "queryable_id": 7}, "S3.C8": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO2", "retired": "false", "assured_by": "", "depends_on": "", "description": "Block S3 endpoints (<a href=\"https://docs.aws.amazon.com/general/latest/gr/s3.html\">DNS</a> and <a href=\"https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-ip-address-ranges/\">IP ranges</a>) in your corporate perimeter security to the Internet (e.g. firewalls, or cloud interception proxy like <a href=\"https://kivera.io\">Kivera</a>) including via Internet Gateway, to force usage of VPC endpoints. It will block data-plane transfer. Note: AWS console stays functional as it proxies non-data-plane requests (via \"console.aws.amazon.com\").", "testing": "Request the evidence of the implementation of blocking S3 endpoints in your corporate perimeter security (e.g. firewalls) and tests of its effectiveness.", "effort": "Low", "mitigate": [{"threat": "S3.T7", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T10", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T12", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T18", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T34", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC28", "S3.FC5", "S3.FC7"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 2, "queryable_id": 8}, "S3.C9": {"coso": "Directive", "nist_csf": "Detect", "objective": "S3.CO3", "retired": "false", "assured_by": "", "depends_on": "", "description": "Enable <a href=\"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events\">CloudTrail S3 data events</a> in relevant AWS accounts, Regions, and buckets (e.g. production, with sensitive data, etc.). Make it available for security analysis, and protect it using CloudTrail ThreatModel.", "testing": "Request the CloudTrail ThreatModel and the evidence of its application for enabling and protecting S3 data events.", "effort": "Very Low", "mitigate": [{"threat": "S3.T1", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T4", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T5", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T6", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T12", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T21", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T34", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T35", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T36", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T39", "impact": "Low", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "High"}], "feature_class": ["S3.FC1", "S3.FC5", "S3.FC8"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 3, "queryable_id": 9}, "S3.C10": {"coso": "Directive", "nist_csf": "Detect", "objective": "S3.CO4", "retired": "false", "assured_by": "", "depends_on": "", "description": "Enable and monitor <a href=\"https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html\">S3 protection in Amazon GuardDuty</a> in all AWS accounts in all Regions, and protect it using GuardDuty ThreatModel. Ensure findings are investigated (e.g. using Amazon Detective).", "testing": "Request the GuardDuty ThreatModel and the evidence of its application for enabling, monitoring, investigation and protecting S3 protection.", "effort": "Low", "mitigate": [{"threat": "S3.T3", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T4", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T52", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T53", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC24", "S3.FC25", "S3.FC5", "S3.FC8"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 4, "queryable_id": 10}, "S3.C11": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO5", "retired": "false", "assured_by": "", "depends_on": "", "description": "Track all buckets you don't control hosting your objects, define their authorized data classification, identify their respective owners (and AWS account ID), their ObjectACL requirements (including S3 Object Ownership), and get assured of the protection (e.g. through contractual agreement, verified by assurance programs, or using this ThreatModel).", "testing": "Request the list of all authorized external buckets authorized to host your objects, their respective owners (and AWS account ID), their ObjectACL requirements (including S3 Object Ownership), their data classification and the mechanism used to ensure the security of those buckets.", "effort": "Medium", "mitigate": [{"threat": "S3.T1", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T3", "impact": "High", "priority": 3.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T5", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T6", "impact": "Low", "priority": 1.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Low", "priority": 1.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "High"}, {"threat": "S3.T15", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T21", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "High", "priority": 3.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T43", "impact": "Very High", "priority": 4.0, "max_dependency": 3.0, "priority_overall": 4.0, "cvss": "High"}], "feature_class": ["S3.FC1", "S3.FC16", "S3.FC5"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 5, "queryable_id": 11}, "S3.C12": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO5", "retired": "false", "assured_by": "", "depends_on": "S3.C11", "description": "Allow only authorized ACL on objects for buckets you don't control (e.g. using IAM and VPC endpoint policy with the <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#acl-specific-condition-keys\">ACL conditions</a>).", "testing": "Put an object with an unauthorized ACL; it should be denied.", "effort": "Medium", "mitigate": [{"threat": "S3.T5", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T6", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC1"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 5, "queryable_id": 12}, "S3.C13": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO5", "retired": "false", "assured_by": "", "depends_on": "S3.C11", "description": "Monitor that only authorized external buckets are used (e.g. via CloudTrail S3 data events in resources[].accountId and resources[].ARN). Both account ID and bucket name must be verified.", "testing": "Make a call to an unauthorized bucket; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T1", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T21", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 5, "queryable_id": 13}, "S3.C14": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO5", "retired": "false", "assured_by": "", "depends_on": "S3.C11", "description": "Scan all data before uploading to an external bucket to ensure the classification of the data is aligned with the bucket classification (e.g. using Macie).", "testing": "Request 1) the mechanism ensuring all data are scanned for proper data classification before upload to an external bucket are configured, 2) its records of execution for all object upload flows, and 3) the plan to move any older object upload flows.", "effort": "High", "mitigate": [{"threat": "S3.T5", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "High"}, {"threat": "S3.T15", "impact": "Medium", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC16", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 5, "queryable_id": 14}, "S3.C15": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO5", "retired": "false", "assured_by": "", "depends_on": "", "description": "Request access via an S3 access point on a bucket you don't own, if compatible with your interaction with the bucket (e.g. not through not-compatible AWS service).", "testing": "Request the documented reason(s) access point was not implemented in the use case.", "effort": "Low", "mitigate": [{"threat": "S3.T8", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 5, "queryable_id": 15}, "S3.C16": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO6", "retired": "false", "assured_by": "", "depends_on": "", "description": "Analyze and protect all AWS services accessing S3 (e.g. via ThreatModel). Enforce usage in VPC only, whenever possible.", "testing": "Request the threat and mitigating controls for all AWS services using S3.", "effort": "High", "mitigate": [{"threat": "S3.T21", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 6, "queryable_id": 16}, "S3.C17": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO7", "retired": "false", "assured_by": "", "depends_on": "", "description": "For each VPC, maintain a list of AWS Organizations, OU, and/or AWS account(s) where IAM entities are authorized to access S3.", "testing": "For each VPC, request the list of AWS Organizations, OU, and/or AWS account(s), where IAM entities are authorized to access S3, its review process, and its review records.", "effort": "Medium", "mitigate": [{"threat": "S3.T9", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 7, "queryable_id": 17}, "S3.C18": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO7", "retired": "false", "assured_by": "", "depends_on": "S3.C17", "description": "For each VPC with an IAM entity allowed to use S3, secure them with the VPC ThreatModel (e.g. <a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html\">modification of VPC endpoints, VPC endpoint policy, routing table, Security Groups</a>).", "testing": "Request how VPC ThreatModel for S3 is being applied.", "effort": "High", "mitigate": [{"threat": "S3.T9", "impact": "Medium", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Medium", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 7, "queryable_id": 18}, "S3.C19": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO7", "retired": "false", "assured_by": "S3.C20", "depends_on": "S3.C17", "description": "Block any IAM entity not belonging to an authorized AWS Organizations, OU, and/or AWS account(s) to call S3 from your VPCs by adding a deny statement on the S3 VPC endpoint policy of each VPC, with the condition using \"aws:PrincipalOrgPaths\" (<a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgpaths\">ref</a>) including the full Org ID, as those are globally unique.", "testing": "For each VPC, do an API call with an IAM entity which is not part of its authorized AWS Organizations path(s); it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T9", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 7, "queryable_id": 19}, "S3.C20": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO7", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all S3 VPC endpoint are blocking any IAM entity not belonging to an authorized AWS Organizations, OU and/or AWS account(s).", "testing": "Remove the policy statement blocking any IAM entity not belonging to an authorized AWS Organizations, OU and/or AWS account(s) from the VPC endpoint; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 7, "queryable_id": 20}, "S3.C21": {"coso": "Directive", "nist_csf": "Detect", "objective": "S3.CO7", "retired": "false", "assured_by": "", "depends_on": "", "description": "Enable <a href=\"https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html\">VPC DNS query logging</a> in all VPC.", "testing": "Request the mechanism to enable VPC DNS query logging in all VPC.", "effort": "Medium", "mitigate": [{"threat": "S3.T8", "impact": "Very Low", "priority": 0.0, "max_dependency": 1.0, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Very Low", "priority": 0.0, "max_dependency": 1.0, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": 1.0, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 7, "queryable_id": 21}, "S3.C22": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO7", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized S3 and S3 access point (and their respective AWS accounts) to be accessed for each VPC.", "testing": "Request the list of authorized S3 and S3 access point to be access for each VPC, its review process, and its review records.", "effort": "Medium", "mitigate": [{"threat": "S3.T8", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 7, "queryable_id": 22}, "S3.C23": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO7", "retired": "false", "assured_by": "S3.C24", "depends_on": "S3.C22", "description": "Limit the access to only authorized S3 bucket(s) or their AWS account(s) from each VPC (e.g. using the condition key \"s3:ResourceAccount\" on the VPC endpoint policy, alternatively use a specific resource-level statement for each bucket, or if the VPC endpoint policy size is beyond the limit and more granular control on VPC is required, use access points).", "testing": "Make a request to an unauthorized bucket from one of your VPC; it should be denied.", "effort": "Medium", "mitigate": [{"threat": "S3.T8", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 7, "queryable_id": 23}, "S3.C24": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO7", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all VPCs are limited to access to only authorized S3 bucket(s).", "testing": "Remove the control limiting access to only authorized S3 bucket(s); it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 7, "queryable_id": 24}, "S3.C25": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO7", "retired": "false", "assured_by": "", "depends_on": "S3.C21,S3.C22", "description": "Monitor VPC DNS query logs that only authorized S3 bucket and S3 access points are being queried in each VPC (e.g. using VPC DNS query logging), and protect it using Route53 ThreatModel.", "testing": "Make a DNS query to an unauthorized 1) S3 bucket and 2) S3 access points; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T8", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 7, "queryable_id": 25}, "S3.C26": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO8", "retired": "false", "assured_by": "", "depends_on": "", "description": "Limit the access to the IAM actions required to execute the threats using AWS IAM and/or SCP, following the IAM Operating Model and using the IAM ThreatModel. Use the <a href=\"https://aws.amazon.com/blogs/security/tighten-s3-permissions-iam-users-and-roles-using-access-history-s3-actions/\">IAM Access Advisor</a> to review the usage of non-object-related S3 actions.", "testing": "Request the list of authorized IAM principals with the permissions required to execute the threat actions, its review process, and its review records.", "effort": "High", "mitigate": [{"threat": "S3.T1", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T2", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T5", "impact": "Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T6", "impact": "Medium", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "High"}, {"threat": "S3.T16", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T18", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T21", "impact": "Medium", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T25", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T26", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T28", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T33", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T35", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Low"}, {"threat": "S3.T36", "impact": "Medium", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T38", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T39", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "High"}, {"threat": "S3.T41", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T42", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T44", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T46", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T47", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T48", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T49", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T50", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T51", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T52", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T53", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T54", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T55", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T56", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T58", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T59", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T60", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC12", "S3.FC13", "S3.FC15", "S3.FC19", "S3.FC2", "S3.FC20", "S3.FC24", "S3.FC25", "S3.FC26", "S3.FC27", "S3.FC32", "S3.FC33", "S3.FC5", "S3.FC6", "S3.FC7", "S3.FC8"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 8, "queryable_id": 26}, "S3.C27": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO8", "retired": "false", "assured_by": "S3.C28", "depends_on": "", "description": "In the S3 bucket/access point/Object Lambda Access Point policy, do not allow IAM principals of the same AWS account. Only AWS IAM should be used to provide permissions to a principal of the same AWS account.", "testing": "Request all S3 bucket/access point/Object Lambda Access Point policy statements with \"allow\", no principal from the same account should be authorized.", "effort": "Low", "mitigate": [{"threat": "S3.T1", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T2", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T6", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "High"}, {"threat": "S3.T16", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T18", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Low"}, {"threat": "S3.T21", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T25", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T26", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T33", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T35", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T36", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T38", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T39", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "High"}, {"threat": "S3.T41", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Low"}, {"threat": "S3.T42", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Low"}, {"threat": "S3.T44", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T46", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T54", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T55", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T58", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T59", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC12", "S3.FC13", "S3.FC15", "S3.FC19", "S3.FC2", "S3.FC20", "S3.FC26", "S3.FC27", "S3.FC32", "S3.FC33", "S3.FC5", "S3.FC7"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 8, "queryable_id": 27}, "S3.C28": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO8", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all S3 bucket/access point/Object Lambda Access Point policies do not allow an IAM principal of the same AWS account (e.g. using the Config rule S3_BUCKET_POLICY_GRANTEE_CHECK for bucket policy).", "testing": "Add an allow statement for an IAM principal of the same account in 1) a bucket policy, 2) in an access point policy, and 3) in an Object Lambda Access Point; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC12", "S3.FC13", "S3.FC15", "S3.FC19", "S3.FC2", "S3.FC20", "S3.FC26", "S3.FC27", "S3.FC32", "S3.FC33", "S3.FC5", "S3.FC7"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 8, "queryable_id": 28}, "S3.C29": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO36", "retired": "false", "assured_by": "", "depends_on": "", "description": "Use an unguessable naming convention for the email addresses of your AWS accounts (e.g. add a + sign and a random string to redirect the email in the same mailbox).", "testing": "Review naming convention for root account email and their implementation.", "effort": "Medium", "mitigate": [{"threat": "S3.T19", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Low"}], "feature_class": ["S3.FC28"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 36, "queryable_id": 29}, "S3.C30": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO36", "retired": "false", "assured_by": "", "depends_on": "", "description": "Use an unguessable naming convention for your IAM users and IAM roles (e.g. add a random string).", "testing": "Review naming convention for IAM users/role and their implementation.", "effort": "Medium", "mitigate": [{"threat": "S3.T24", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Low"}], "feature_class": ["S3.FC28"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 36, "queryable_id": 30}, "S3.C31": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO9", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized AWS accounts to provide KMS keys for S3 for each AWS account.", "testing": "Request the list of authorized AWS accounts to provide KMS keys for S3 for each AWS account, its review process, and its review records.", "effort": "Medium", "mitigate": [{"threat": "S3.T1", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T2", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T4", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T5", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T21", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T27", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Low"}, {"threat": "S3.T28", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T60", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC15", "S3.FC26", "S3.FC5", "S3.FC8"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 9, "queryable_id": 31}, "S3.C32": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO9", "retired": "false", "assured_by": "", "depends_on": "S3.C31", "description": "Block requests with unauthorized AWS account providing the KMS key (e.g. using an SCP, bucket policy, and VPC endpoint deny statement on PutObject if the condition \"s3:x-amz-server-side-encryption-aws-kms-key-id\" is not a KMS key from an authorized AWS account).", "testing": "Make a request encrypted with a KMS key from unauthorized AWS account; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T1", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T2", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T4", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T5", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T21", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T27", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Low"}, {"threat": "S3.T28", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T60", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC15", "S3.FC26", "S3.FC5", "S3.FC8"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 9, "queryable_id": 32}, "S3.C33": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO9", "retired": "false", "assured_by": "", "depends_on": "S3.C31", "description": "Monitor that only authorized AWS accounts to provide KMS keys are used for each AWS account (using CloudTrail S3 data events in \"response.x-amz-server-side-encryption-aws-kms-key-id\").", "testing": "Make a call to an unauthorized bucket; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T1", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T2", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T4", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T5", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T21", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T27", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Low"}, {"threat": "S3.T28", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC15", "S3.FC26", "S3.FC5", "S3.FC8"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 9, "queryable_id": 33}, "S3.C34": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO10", "retired": "false", "assured_by": "S3.C36", "depends_on": "", "description": "Deny requests to change object ACL to public (e.g. using an SCP, S3 bucket policy, and VPC endpoint policy blocking PutObjectAcl for \"s3:x-amz-grant-read\", \"s3:x-amz-grant-read-acp\", \"s3:x-amz-grant-write-acp\", \"s3:x-amz-grant-full-control\" on the following predefined groups \"http://acs.amazonaws.com/groups/global/AllUsers\" and \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\").", "testing": "Make a call to create a public ObjectACL; it should be denied.", "effort": "Medium", "mitigate": [{"threat": "S3.T6", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 10, "queryable_id": 34}, "S3.C35": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO10", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor ObjectACL changed (or tentatively changed) to public using CloudTrail S3 data events.", "testing": "Make a call to create a public ObjectACL; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T6", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 10, "queryable_id": 35}, "S3.C36": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO10", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify the control blocking change ObjectACL to public (e.g. an SCP and VPC endpoint policy) is properly implemented.", "testing": "Remove the control blocking changes of ObjectACL to public; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 10, "queryable_id": 36}, "S3.C37": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO10", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor and investigate anonymous requests to objects (e.g. using CloudTrail S3 data events with userIdentity.accountId=ANONYMOUS_PRINCIPAL).", "testing": "Make an anonymous call; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T36", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 10, "queryable_id": 37}, "S3.C38": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO11", "retired": "false", "assured_by": "S3.C39", "depends_on": "", "description": "Block the action \"s3:DeleteBucket\" (e.g. via SCP, exemption can be managed by authorizing a SuperAdmin to delete buckets with a certain tag, and with bucket owners able to tag bucket).", "testing": "Do a DeleteBucket; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T1", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 11, "queryable_id": 38}, "S3.C39": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO11", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify the control blocking the action \"s3:DeleteBucket\" (e.g. an SCP on your AWS Organizations root node) is properly implemented.", "testing": "Remove the control blocking the action \"s3:DeleteBucket\" (e.g. an SCP on your root node); it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 11, "queryable_id": 39}, "S3.C40": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO11", "retired": "false", "assured_by": "", "depends_on": "", "description": "Scan your CNAME records (e.g. in Route53) and CloudFront origin for deleted buckets.", "testing": "Create a CNAME record and CloudFront origin with an invalid bucket; it should be detected.", "effort": "High", "mitigate": [{"threat": "S3.T1", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 11, "queryable_id": 40}, "S3.C41": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO12", "retired": "false", "assured_by": "", "depends_on": "", "description": "Parameterize the S3 bucket name or S3 access point in your code (no hardcoding).", "testing": "Request the process on ensuring S3 bucket name or S3 access point are not hard-coded.", "effort": "Medium", "mitigate": [{"threat": "S3.T1", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 12, "queryable_id": 41}, "S3.C42": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO12", "retired": "false", "assured_by": "", "depends_on": "", "description": "When connecting to S3 endpoints, use virtual-hosted model (\"my-bucket-name.s3.amazonaws.com\" or \"my-bucket-name.my-s3-regional-endpoint.amazonaws.com\") instead of path-style model (\"s3.amazonaws.com/my-bucket-name\" or \"my-s3-regional-endpoint.amazonaws.com/my-bucket-name\") (see <a href=\"https://aws.amazon.com/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story/\">ref</a>). All the latest SDKs make use of domain style by default.", "testing": "Request the mechanism ensuring the usage of domain style instead of path style.", "effort": "Very Low", "mitigate": [{"threat": "S3.T35", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC1"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 12, "queryable_id": 42}, "S3.C43": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO12", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor that all S3 connections are made with the virtual-hosted model (e.g. via CloudTrail S3 requestParameters.Host).", "testing": "Make a path-style request to S3; it should be detected.", "effort": "Medium", "mitigate": [{"threat": "S3.T35", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Low"}], "feature_class": ["S3.FC1"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 12, "queryable_id": 43}, "S3.C44": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO12", "retired": "false", "assured_by": "", "depends_on": "", "description": "Use \"x-amz-checksum\" from the <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingMetadata.html#SysMetadata\">object metadata</a> to validate the integrity of the object instead of etag. If etag is used, make sure properly account for its different definitions (<a href=\"https://teppen.io/2018/06/23/aws_s3_etags/\">ref</a>).", "testing": "Request 1) the mechanism ensuring checksum are being used instead of etag, and otherwise ensuring etag different definitions are properly accounted for, and 2) plan to move any older system using etag to use the checksum metadata.", "effort": "Low", "mitigate": [{"threat": "S3.T17", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T27", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 12, "queryable_id": 44}, "S3.C45": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO12", "retired": "false", "assured_by": "", "depends_on": "", "description": "Do not include sensitive data in bucket names, access point names, object names, object metadata and tags.", "testing": "Request the process ensuring no sensitive data is included in bucket names, object names, object metadata and tags.", "effort": "Low", "mitigate": [{"threat": "S3.T41", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Low"}, {"threat": "S3.T42", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}], "feature_class": ["S3.FC12", "S3.FC20"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 12, "queryable_id": 45}, "S3.C46": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO12", "retired": "false", "assured_by": "", "depends_on": "", "description": "Ensure all S3 buckets interacted with are in the correct AWS account (e.g. using the condition in all compatible S3 requests: x-amz-expected-bucket-owner and x-amz-source-expected-bucket-owner).", "testing": "Request the process on ensuring that all S3 buckets interacted with are in the correct AWS account.", "effort": "Medium", "mitigate": [{"threat": "S3.T1", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T3", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 12, "queryable_id": 46}, "S3.C47": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO13", "retired": "false", "assured_by": "S3.C48", "depends_on": "", "description": "Front buckets that are required to be public, using authenticated CDN (e.g. CloudFront) or API Gateway, protected with WAF (e.g. for <a href=\"https://aws.amazon.com/blogs/security/how-to-prevent-hotlinking-by-using-aws-waf-amazon-cloudfront-and-referer-checking/\">hotlinking</a>).", "testing": "Request the process ensuring that buckets required to be public are front by authenticated CDN or API Gateway.", "effort": "Medium", "mitigate": [{"threat": "S3.T13", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}, {"threat": "S3.T14", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "High"}, {"threat": "S3.T22", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC16", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 13, "queryable_id": 47}, "S3.C48": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO13", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify no bucket is available publicly for write or read (e.g. using the AWS Config rules: <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-read-prohibited.html\">S3_BUCKET_PUBLIC_READ_PROHIBITED</a> and <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html\">S3_BUCKET_PUBLIC_WRITE_PROHIBITED</a>).", "testing": "Create a public S3 bucket; it should be detected.", "effort": "Very Low", "mitigate": [], "feature_class": ["S3.FC16", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 13, "queryable_id": 48}, "S3.C49": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO13", "retired": "false", "assured_by": "S3.C50", "depends_on": "", "description": "Enable account-level S3 Block Public Access on all AWS accounts, with BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets set to true.", "testing": "Request 1) the mechanism ensuring account-level S3 Block Public Access is enabled on all AWS accounts, 2) its records of execution for all new AWS accounts, and 3) the plan to move any older AWS accounts.", "effort": "Very Low", "mitigate": [{"threat": "S3.T4", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "High"}, {"threat": "S3.T36", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T38", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC10", "S3.FC5", "S3.FC8"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 13, "queryable_id": 49}, "S3.C50": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO13", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify account-level S3 Block Public Access is enabled on all AWS accounts, with BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets set to true (e.g. using the AWS Config rule: <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks.html\">S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS</a>).", "testing": "Remove the account-level S3 Block Public Access of an AWS account; it should be detected.", "effort": "Very Low", "mitigate": [], "feature_class": ["S3.FC10", "S3.FC5", "S3.FC8"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 13, "queryable_id": 50}, "S3.C51": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO13", "retired": "false", "assured_by": "S3.C52", "depends_on": "", "description": "Enable S3 Block Public Access on all S3 buckets, with BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets set to true (enable by default for all new buckets after April 2023).", "testing": "Request 1) the mechanism ensuring S3 Block Public Access is enabled on each bucket, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets.", "effort": "Low", "mitigate": [{"threat": "S3.T4", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "High"}, {"threat": "S3.T36", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T38", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC10", "S3.FC5", "S3.FC8"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 13, "queryable_id": 51}, "S3.C52": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO13", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify S3 Block Public Access is enabled on all S3 buckets, with BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets set to true (e.g. using the AWS Config rule: <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html\">S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED</a>).", "testing": "Remove a S3 Block Public Access of an S3 bucket; it should be detected.", "effort": "Very Low", "mitigate": [], "feature_class": ["S3.FC10", "S3.FC5", "S3.FC8"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 13, "queryable_id": 52}, "S3.C53": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO13", "retired": "false", "assured_by": "S3.C54", "depends_on": "", "description": "Enable S3 Block Public Access on all S3 access points (including multi-region), with BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets set to true.", "testing": "Request 1) the mechanism ensuring S3 Block Public Access is enabled on each S3 access point, 2) its records of execution for all new S3 access points, and 3) the plan to move any older S3 access points.", "effort": "Low", "mitigate": [{"threat": "S3.T14", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "High"}, {"threat": "S3.T36", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T38", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T54", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T55", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC10", "S3.FC26", "S3.FC33", "S3.FC5"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 13, "queryable_id": 53}, "S3.C54": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO13", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify S3 Block Public Access is enabled on all S3 access points (including multi-region), with BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets set to true.", "testing": "Remove S3 Block Public Access of 1) an access point, and 2) a Multi-Region Access Point; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC10", "S3.FC26", "S3.FC33", "S3.FC5"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 13, "queryable_id": 54}, "S3.C55": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO14", "retired": "false", "assured_by": "S3.C57", "depends_on": "", "description": "Deny requests to add bucket ACL (e.g. using an SCP, bucket policy, and VPC endpoint policy blocking \"s3:PutBucketAcl\").", "testing": "Make a call to create a bucket ACL; it should be denied.", "effort": "Medium", "mitigate": [{"threat": "S3.T4", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T58", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC19", "S3.FC8"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 14, "queryable_id": 55}, "S3.C56": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO14", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor changes on bucket ACL to ensure it stays private (e.g. using CloudTrail event PutBucketAcl and its fields requestParameters.x-amz-acl should be either \"private\" or not existing).", "testing": "Make a call to have a bucket ACL other than private; it should be detected.", "effort": "Medium", "mitigate": [{"threat": "S3.T4", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T58", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Low"}], "feature_class": ["S3.FC19", "S3.FC8"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 14, "queryable_id": 56}, "S3.C57": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO14", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify the control blocking bucket ACL changes (e.g. an SCP, a bucket policy and VPC endpoint policy) is properly implemented.", "testing": "Remove the control blocking bucket ACL changes; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC19", "S3.FC8"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 14, "queryable_id": 57}, "S3.C58": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO15", "retired": "false", "assured_by": "", "depends_on": "", "description": "Track all buckets you control, define their authorized data classification, identify whether the hosted data is primary (i.e. source of truth, for example logs, backups, forensic data, raw data, etc.) or an input/output of a process (e.g. file-processing, software package, etc.), their WORM requirements (e.g. SEC 17a-4, CTCC, etc.), if they are production/non-production (preferably done at account-level), their storage class, and their dual-layer server-side encryption requirement (e.g. for NSA CNSSP 15, or DAR CP). You may use tags, Infra-as-code, AWS Glue Data Catalog, or external management tools like <a href=\"https://finraos.github.io/herd/\">FINRA herd</a>).", "testing": "Request the list of all buckets you control define their authorized data classification, and identify whether the data is primary and the mechanism and records to ensure the accuracy of those metadata.", "effort": "High", "mitigate": [{"threat": "S3.T5", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "High", "priority": 2.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "High"}, {"threat": "S3.T15", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "Very High", "priority": 3.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T20", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T25", "impact": "Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC13", "S3.FC16", "S3.FC5"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 15, "queryable_id": 58}, "S3.C59": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO15", "retired": "false", "assured_by": "", "depends_on": "S3.C58", "description": "Use a data discovery tool (e.g. Amazon Macie) to ensure no sensitive data is stored in an unauthorized bucket.", "testing": "Upload a higher classification data in a bucket; it should be detected.", "effort": "Medium", "mitigate": [{"threat": "S3.T11", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 15, "queryable_id": 59}, "S3.C60": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO15", "retired": "false", "assured_by": "", "depends_on": "", "description": "Use a data discovery tool (e.g. Amazon Macie) to ensure the bucket names, object names, tags, and metadata do not contain sensitive data.", "testing": "Create a bucket name, object name, tags, or a metadata of an object with sensitive data; it should be detected.", "effort": "Very High", "mitigate": [{"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 15, "queryable_id": 60}, "S3.C61": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "S3.C58", "description": "Maintain a list of authorized KMS key(s) for each bucket and their default encryption key. You might simplify by using only 1 key per bucket, ideally dedicated. Note that an S3 server access log bucket does not support KMS encryption (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-how-to-set-up\">ref</a>).", "testing": "Request the list of authorized KMS key(s) for each bucket, its review process, and its review records.", "effort": "Medium", "mitigate": [{"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T20", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 16, "queryable_id": 61}, "S3.C140": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO16", "retired": "false", "assured_by": "S3.C62", "depends_on": "", "description": "Ensure all objects on S3 buckets are encrypted with an authorized KMS key.", "testing": "Request the mechanism (including training, or utility) ensuring only authorized KMS key are used for any objects stored in S3.", "effort": "Medium", "mitigate": [{"threat": "S3.T11", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T20", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 16, "queryable_id": 140}, "S3.C62": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all objects on S3 buckets are encrypted with an authorized KMS key (e.g. using S3 Inventory, see <a href=\"https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/\">blog</a>, or <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_metrics_types\">S3 Storage Lens</a> UnencryptedObjectCount and SSEKMSEnabledBucketCount).", "testing": "Upload an encrypted data using an unauthorized KMS key; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 16, "queryable_id": 62}, "S3.C63": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "S3.C61", "description": "Use KMS ThreatModel to protect the KMS keys used for S3 (e.g. using encryptionContext on the policy of each KMS key).", "testing": "Request the KMS ThreatModel and the evidence of its application to protect S3.", "effort": "High", "mitigate": [{"threat": "S3.T17", "impact": "Medium", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 16, "queryable_id": 63}, "S3.C64": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO16", "retired": "false", "assured_by": "S3.C65", "depends_on": "S3.C61", "description": "Implement an authorized default encryption key on each bucket; and enable S3 Bucket Key if not DSSE-KMS, if CloudTrail events are not required for KMS encrypt/decrypt (note: Amazon S3 evaluates and applies bucket policies before applying bucket default encryption settings).", "testing": "Request 1) the mechanism implementing an authorized default encryption key on each bucket and enabling S3 Bucket Key, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets.", "effort": "Low", "mitigate": [{"threat": "S3.T17", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T20", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 16, "queryable_id": 64}, "S3.C65": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify each bucket has an authorized default encryption key and has S3 Bucket Key enabled.", "testing": "Create/modify a bucket 1) without default encryption, 2) with a wrong default encryption key or 3) without S3 Bucket Key disabled; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 16, "queryable_id": 65}, "S3.C66": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO16", "retired": "false", "assured_by": "S3.C67", "depends_on": "S3.C61", "description": "Block PutObject requests with unauthorized KMS key on each bucket (e.g. using an S3 bucket policy deny statement on PutObject if the condition if exists \"s3:x-amz-server-side-encryption-aws-kms-key-id\" is not an authorized KMS key).", "testing": "Make a request encrypted with an unauthorized KMS key; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T11", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T20", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 16, "queryable_id": 66}, "S3.C67": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all buckets block PutObject requests with an unauthorized KMS key (e.g. using the Config rule: <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-not-more-permissive.html\">S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE</a>, note that a new rule needs be deployed for each configuration, then the resource tracked by name or tag; alternatively you might use <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-server-side-encryption-enabled.html\">S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED</a> to ensure a limited coverage).", "testing": "Create a bucket not blocking PutObject requests with an unauthorized KMS key; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 16, "queryable_id": 67}, "S3.C68": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "S3.C61", "description": "Monitor that only authorized KMS key(s) are used on each bucket (using CloudTrail S3 data events in \"requestParameter.bucketName\" and \"response.x-amz-server-side-encryption-aws-kms-key-id\").", "testing": "Make a request encrypted with an unauthorized KMS key; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 16, "queryable_id": 68}, "S3.C69": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO17", "retired": "false", "assured_by": "S3.C70", "depends_on": "S3.C58", "description": "Enable versioning on buckets holding primary data.", "testing": "Request the mechanism used to ensure versioning on buckets holding primary data, and its records.", "effort": "Very Low", "mitigate": [{"threat": "S3.T16", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 17, "queryable_id": 69}, "S3.C70": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO17", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify buckets holding primary data are versioned (e.g. using <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-versioning-enabled.html\">S3_BUCKET_VERSIONING_ENABLED</a>).", "testing": "Remove versioning from a bucket holding primary data; it should be detected.", "effort": "Low", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 17, "queryable_id": 70}, "S3.C71": {"coso": "Directive", "nist_csf": "Recover", "objective": "S3.CO17", "retired": "false", "assured_by": "", "depends_on": "S3.C58", "description": "Backup primary data in a secure location under a different security authority (e.g. in an <a href=\"https://wellarchitectedlabs.com/security/100_labs/100_create_a_data_bunker/1_instructions/\">AWS data bunker account</a> via replication, or using AWS Backup for Amazon S3).", "testing": "Request the mechanism used to backup primary data in a location which have different security authority, its records of execution, and records of restoration testing.", "effort": "Medium", "mitigate": [{"threat": "S3.T16", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T25", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC13", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 17, "queryable_id": 71}, "S3.C72": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO18", "retired": "false", "assured_by": "", "depends_on": "", "description": "Aligned with your data governance, encrypt on the client side - or tokenize - appropriate data.", "testing": "Request the governance and mechanism(s) used to protect data (e.g. encrypt or tokenize critical data on the client side).", "effort": "Very High", "mitigate": [{"threat": "S3.T1", "impact": "Medium", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T3", "impact": "Medium", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T5", "impact": "High", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "High", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Very High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T12", "impact": "Very High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T13", "impact": "Very High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T17", "impact": "High", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T20", "impact": "High", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "High", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "High", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC16", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 18, "queryable_id": 72}, "S3.C73": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO19", "retired": "false", "assured_by": "", "depends_on": "", "description": "Create a process to apply a legal hold to any S3 bucket whenever required. The condition \"s3:object-lock-legal-hold\" can be used to restrict who can remove such a lock.", "testing": "Request the process of applying legal hold, and its records.", "effort": "Medium", "mitigate": [{"threat": "S3.T16", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 19, "queryable_id": 73}, "S3.C74": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO20", "retired": "false", "assured_by": "S3.C75", "depends_on": "S3.C58", "description": "Implement the authorized default S3 Object Lock on each bucket (note: Amazon S3 evaluates and applies bucket policies before applying bucket default S3 Object Lock settings).", "testing": "Upload an object without appropriate S3 Object Lock; it should have the S3 Object Lock automatically.", "effort": "Low", "mitigate": [{"threat": "S3.T16", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T25", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC13", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 20, "queryable_id": 74}, "S3.C75": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO20", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all buckets have the correct default S3 Object Lock configuration.", "testing": "Create a bucket 1) without S3 Object Lock or 2) with an incorrect default S3 Object Lock; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC13", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 20, "queryable_id": 75}, "S3.C76": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO20", "retired": "false", "assured_by": "S3.C77", "depends_on": "S3.C58", "description": "Block PutObject and PutObjectRetention requests with unauthorized S3 Object Lock on each bucket (e.g. using an S3 bucket policy deny statement on PutObject and PutObjectRetention if the condition if exists \"s3:object-lock-mode\" and \"s3:object-lock-remaining-retention-days\" is not the defined S3 Object Lock configuration).", "testing": "Make a request with an incorrect S3 Object Lock configuration; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T16", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T17", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 20, "queryable_id": 76}, "S3.C77": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO20", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all buckets blocks PutObject and PutObjectRetention requests with unauthorized S3 Object Lock (e.g. using the Config rule: <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-not-more-permissive.html\">S3_BUCKET_POLICY_NOT_MORE_PERMISSIVE</a>, note that a new rule needs be deployed for each configuration, then the resource tracked by name or tag).", "testing": "Create a bucket not blocking PutObject and PutObjectRetention requests with unauthorized S3 Object Lock; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 20, "queryable_id": 77}, "S3.C78": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO21", "retired": "false", "assured_by": "S3.C79", "depends_on": "", "description": "Reduce costs related to incomplete multipart upload by creating a lifecycle policy to remove them after an agreed length of time (e.g. 7 days) (<a href=\"https://aws.amazon.com/blogs/aws/s3-lifecycle-management-update-support-for-multipart-uploads-and-delete-markers/\">blog</a>).", "testing": "Create an incomplete upload, and wait for the agreed time; it should be deleted automatically.", "effort": "Low", "mitigate": [{"threat": "S3.T40", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 21, "queryable_id": 78}, "S3.C79": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO21", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify a lifecycle policy on incomplete multipart uploads is implemented on all buckets (e.g. using AWS Config rule: <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-lifecycle-policy-check.html\">S3_LIFECYCLE_POLICY_CHECK</a>).", "testing": "Create a bucket without a lifecycle policy to remove incomplete multipart upload; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 21, "queryable_id": 79}, "S3.C80": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO22", "retired": "false", "assured_by": "", "depends_on": "", "description": "Block deprecated S3 actions using IAM ThreatModel and the S3 actions list.", "testing": "Request the controls blocking deprecated S3 actions.", "effort": "Low", "mitigate": [{"threat": "S3.T35", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}], "feature_class": ["S3.FC1"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 22, "queryable_id": 80}, "S3.C81": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO23", "retired": "false", "assured_by": "", "depends_on": "", "description": "Block all requests not using SigV4 (e.g. using an SCP and S3 policy on all buckets with deny on \"StringNotEquals\":{\"s3:signatureversion\": \"AWS4-HMAC-SHA256\"}).", "testing": "Make a non-SigV4 AWS API call; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T35", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC1"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 23, "queryable_id": 81}, "S3.C82": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO23", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor and investigate that all requests not using SigV4 (e.g. via CloudTrail S3 with the additionalEventData.SignatureVersion different from \"SigV4\").", "testing": "Make a non-SigV4 AWS API call; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T35", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Low"}], "feature_class": ["S3.FC1"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 23, "queryable_id": 82}, "S3.C83": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO23", "retired": "false", "assured_by": "", "depends_on": "", "description": "Use SDK with SigV4 enabled (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#UsingAWSSDK-move-to-Sig4\">ref</a>).", "testing": "Request the mechanism ensuring the use of SDK with SigV4 enabled.", "effort": "Low", "mitigate": [{"threat": "S3.T35", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC1"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 23, "queryable_id": 83}, "S3.C84": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO24", "retired": "false", "assured_by": "", "depends_on": "", "description": "Block all requests not using HTTP authorization header, i.e. presign via query strings or POST (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html\">ref</a>) (e.g. using an SCP and S3 policy on all buckets with deny on \"StringNotEquals\":{\"s3:authType\": \"REST-HEADER\"}). Note that it blocks uploads via the console, as well.", "testing": "Make a request with a non-HTTP authorization header; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T39", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "High"}], "feature_class": ["S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 24, "queryable_id": 84}, "S3.C85": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO24", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor and investigate that all requests not using SigV4 (e.g. via CloudTrail S3 with the additionalEventData.SignatureVersion different from \"SigV4\").", "testing": "Make 1) a presigned AWS API call and 2) a POST request; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T39", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "High"}], "feature_class": ["S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 24, "queryable_id": 85}, "S3.C86": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized buckets to have replication enabled, their target bucket and replication type (i.e. encryption type, ownership, RTC, etc.) (<a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html\">ref</a>).", "testing": "Request the list of authorized buckets to have replication enabled, their target bucket and replication rights, its review process, and its review records.", "effort": "Medium", "mitigate": [{"threat": "S3.T2", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 86}, "S3.C134": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO25", "retired": "false", "assured_by": "S3.C87,S3.C88,S3.C117", "depends_on": "S3.C86", "description": "Ensure only authorized buckets have replication enabled and with correct configuration are configured.", "testing": "Request 1) the mechanism ensuring only authorized buckets have replication enabled and with correct configuration are configured, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets.", "effort": "Medium", "mitigate": [{"threat": "S3.T2", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 134}, "S3.C87": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only authorized buckets have replication enabled and with correct configuration (e.g. using <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_metrics_glossary.html\">S3 Storage Lens</a> CrossAccountReplicationRuleCount).", "testing": "Configure replication on a non-authorized bucket; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 87}, "S3.C88": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify authorized buckets have the correct replication configuration.", "testing": "Modify the configuration of an authorized replication; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 88}, "S3.C89": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of IAM roles used for replication, ideally dedicated (e.g. using change management process on infrastructure-as-code).", "testing": "Request the list of all IAM roles configured for replication.", "effort": "Medium", "mitigate": [{"threat": "S3.T2", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 89}, "S3.C138": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO25", "retired": "false", "assured_by": "S3.C92", "depends_on": "S3.C89", "description": "Ensure only authorized IAM roles are attached for each replication, ideally dedicated.", "testing": "Request the mechanism ensuring authorized IAM roles are attached for each replication, and the evidence of its execution for all replication configuration.", "effort": "Medium", "mitigate": [{"threat": "S3.T2", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 138}, "S3.C90": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "S3.C89", "description": "Limit the S3 access to the source/destination bucket and replication rights of each authorized IAM role configured for replication.", "testing": "Request the S3 access of replication role, and how they aligned to the replication requirements.", "effort": "Medium", "mitigate": [{"threat": "S3.T2", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 90}, "S3.C91": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "S3.C89", "description": "Limit access to authorized IAM roles used for replication, using the IAM ThreatModel (e.g. trust policy, and \"iam:PassRole\").", "testing": "Request the IAM ThreatModel and the evidence of its application to the IAM roles used for replication.", "effort": "High", "mitigate": [{"threat": "S3.T2", "impact": "High", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 91}, "S3.C92": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only the authorized IAM role is configured for each replication.", "testing": "Create/modify a replication with an unauthorized IAM role; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 92}, "S3.C93": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO26", "retired": "false", "assured_by": "", "depends_on": "S3.C58", "description": "If the bucket is used as an input or the output of a process, scan the objects for malware (e.g. using <a href=\"https://s3-virusscan.widdix.net/\">VirusScan</a>, <a href=\"https://cloudstoragesec.com/amazon-s3\">Cloud Storage Security</a>, <a href=\"https://aws.amazon.com/blogs/apn/amazon-s3-malware-scanning-using-trend-micro-cloud-one-and-aws-security-hub/\">Trend Micro Cloud One</a>, or <a href=\"https://aws.amazon.com/blogs/architecture/how-usaa-built-an-amazon-s3-malware-scanning-solution/\">your own scanning solution</a>).", "testing": "Inject a malware test file; it should be detected.", "effort": "Medium", "mitigate": [{"threat": "S3.T14", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "High"}, {"threat": "S3.T15", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC16", "S3.FC5"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 26, "queryable_id": 93}, "S3.C94": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO27", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized notification receiver(s) (e.g. SNS topic, Lambda, etc.) for each bucket. You might use a simpler approach by using authorized account ID(s) to ensure all your receivers are in authorized AWS account(s).", "testing": "Request the list of authorized notification receiver (e.g. SNS topic, Lambda, etc.) for each bucket, its review process, and its review records.", "effort": "Low", "mitigate": [{"threat": "S3.T41", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Low"}], "feature_class": ["S3.FC20"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 27, "queryable_id": 94}, "S3.C135": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO27", "retired": "false", "assured_by": "S3.C95", "depends_on": "S3.C94", "description": "Ensure only authorized notification receiver(s) (e.g. SNS topic, Lambda, etc.) for each bucket are configured.", "testing": "Request 1) the mechanism ensuring only authorized notification receiver(s) (e.g. SNS topic, Lambda, etc.) for each bucket are configured, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets.", "effort": "Medium", "mitigate": [{"threat": "S3.T41", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Low"}], "feature_class": ["S3.FC20"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 27, "queryable_id": 135}, "S3.C95": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO27", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only authorized notification receiver(s) are configured for buckets.", "testing": "Create an unauthorized receiver; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC20"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 27, "queryable_id": 95}, "S3.C96": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO28", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized S3 buckets to receive S3 Inventory of each bucket.", "testing": "Request the list of authorized bucket(s) to receive S3 Inventory of each bucket, its review process, and its review records.", "effort": "Low", "mitigate": [{"threat": "S3.T42", "impact": "Very Low", "priority": 0.0, "max_dependency": 2.0, "priority_overall": 2.0, "cvss": "Low"}], "feature_class": ["S3.FC12"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 28, "queryable_id": 96}, "S3.C136": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO28", "retired": "false", "assured_by": "S3.C97", "depends_on": "S3.C96", "description": "Ensure only authorized S3 buckets are configured to receive S3 Inventory for each bucket.", "testing": "Request 1) the mechanism ensuring only authorized S3 buckets are configured to receive S3 Inventory for each bucket, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets.", "effort": "Medium", "mitigate": [{"threat": "S3.T42", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}], "feature_class": ["S3.FC12"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 28, "queryable_id": 136}, "S3.C97": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO28", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only authorized buckets are configured to receive inventory.", "testing": "Create an unauthorized bucket to receive inventory; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC12"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 28, "queryable_id": 97}, "S3.C98": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO29", "retired": "false", "assured_by": "", "depends_on": "", "description": "For each S3 bucket, maintain a list of VPC(s) authorized to access it.", "testing": "For each S3 bucket, request the list of authorized VPC to access it, its review process, and its review records.", "effort": "Low", "mitigate": [{"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "High"}, {"threat": "S3.T17", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T33", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T38", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T39", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "High"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC2", "S3.FC5"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 29, "queryable_id": 98}, "S3.C99": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO29", "retired": "false", "assured_by": "S3.C100", "depends_on": "S3.C98", "description": "Limit the access to only those VPC(s) (e.g. using S3 bucket statement, deny if the condition \"aws:SourceVpce\", or if the bucket policy size is beyond the limit, use this condition on access point).", "testing": "Make a request to the bucket outside an authorized VPC; it should be denied.", "effort": "Very Low", "mitigate": [{"threat": "S3.T11", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T14", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "High"}, {"threat": "S3.T17", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T33", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T38", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T39", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "High"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC2", "S3.FC5"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 29, "queryable_id": 99}, "S3.C100": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO29", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all buckets include a control to limit access to only authorized VPC(s) (e.g. using the AWS Config rule <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-grantee-check.html\">S3_BUCKET_POLICY_GRANTEE_CHECK</a>).", "testing": "Remove the control limiting access to only authorized VPC(s); it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC2", "S3.FC5"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 29, "queryable_id": 100}, "S3.C101": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO30", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized CloudFront distribution (via Origin Access Control) and associated bucket, access point, and/or Object Lambda Access Point.", "testing": "Request the list of all authorized CloudFront distribution and associated S3 buckets, access points, and/or Object Lambda Access Points.", "effort": "Low", "mitigate": [{"threat": "S3.T20", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC10"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 30, "queryable_id": 101}, "S3.C137": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO30", "retired": "false", "assured_by": "S3.C102", "depends_on": "S3.C101", "description": "Ensure only authorized CloudFront distributions are associated with their authorized bucket, access point, and/or Object Lambda Access Point; and vice versa (e.g. using bucket policy, access point policy, resource policy for an Object Lambda Access Point, limiting the access to only the authorized distribution(s) in the SourceArn).", "testing": "Request 1) the mechanism ensuring only authorized CloudFront distributions are associated with their authorized bucket, access point, and/or Object Lambda Access Point; and vice versa, 2) its records of execution for all new CloudFront distributions, and 3) the plan to move any older CloudFront distributions.", "effort": "Medium", "mitigate": [{"threat": "S3.T20", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC10"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 30, "queryable_id": 137}, "S3.C102": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO30", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all associations of CloudFront distributions with buckets, access points, and/or Object Lambda Access Points are authorized (e.g. using the Macie finding: \"Policy:IAMUser/S3BucketSharedWithCloudFront\").", "testing": "Create a non-authorized distribution or association; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC10"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 30, "queryable_id": 102}, "S3.C103": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO31", "retired": "false", "assured_by": "", "depends_on": "", "description": "Protect and/or claim your domains and trademarks/copyrights (by creating your trademark buckets and using the <a href=\"https://aws.amazon.com/terms/#notice-and-procedure-for-making-claims-of-copyright-infringement\">copyright infringement process</a> from AWS).", "testing": "Request the process by protecting and/or claiming your domains and trademarks/copyrights.", "effort": "Medium", "mitigate": [{"threat": "S3.T23", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Low"}], "feature_class": ["S3.FC28"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 31, "queryable_id": 103}, "S3.C104": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO32", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized access between VPCs, S3 access points, and S3.", "testing": "Request the list of authorized access between VPC and S3 access points.", "effort": "Medium", "mitigate": [{"threat": "S3.T7", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T10", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T28", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T54", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T55", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T60", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC26", "S3.FC28", "S3.FC33", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 104}, "S3.C105": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO32", "retired": "false", "assured_by": "S3.C109", "depends_on": "S3.C104", "description": "Limit access via the S3 access point by using a VPC endpoint and/or bucket policy with the condition \"s3:DataAccessPointAccount\" or preferably \"s3:DataAccessPointArn\" in an allow statement to reduce the length of the allowlist bucket name in the VPC endpoint/bucket policy.", "testing": "Do a request on an unauthorized access point or bucket; it should be denied.", "effort": "Medium", "mitigate": [{"threat": "S3.T7", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T9", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T10", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T54", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T55", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC26", "S3.FC28", "S3.FC33", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 105}, "S3.C106": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO32", "retired": "false", "assured_by": "S3.C110", "depends_on": "", "description": "In the S3 bucket policy, deny all IAM principals not using an authorized S3 access point(s) using the condition \"s3:DataAccessPointAccount\" or preferably \"s3:DataAccessPointArn\".", "testing": "Query the bucket outside S3 access point; it should be denied.", "effort": "Medium", "mitigate": [{"threat": "S3.T7", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T28", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T55", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T56", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T60", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC26", "S3.FC33"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 106}, "S3.C107": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO32", "retired": "false", "assured_by": "", "depends_on": "", "description": "Block the creation \"s3:CreateAccessPoint\" of non-VPC S3 access point (e.g. using the condition \"StringNotEquals\": {\"s3:AccessPointNetworkOrigin\": \"VPC\"}).", "testing": "Do a request to create an internet-based access point; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T7", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T28", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T60", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC26"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 107}, "S3.C108": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO32", "retired": "false", "assured_by": "S3.C111", "depends_on": "", "description": "Block all traffic from Internet-configured S3 access point (e.g. on the bucket policy, using a deny statement with the condition \"StringNotEquals\": {\"s3:AccessPointNetworkOrigin\": \"VPC\"}).", "testing": "Create an internet-facing access point and try to access a bucket; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T7", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T10", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T28", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC26", "S3.FC28"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 108}, "S3.C109": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO32", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only access points are used in the resource-level statement in VPC endpoints.", "testing": "Create a VPC endpoint giving access to an S3 bucket; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC26", "S3.FC28", "S3.FC33", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 109}, "S3.C110": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO32", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify S3 bucket policies deny non-authorized S3 access points.", "testing": "Remove/modify the deny on the bucket policy; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC10", "S3.FC26", "S3.FC33"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 110}, "S3.C111": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO32", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all S3 access points are VPC attached.", "testing": "Create an internet-based access point; it should be detected.", "effort": "Low", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC26", "S3.FC28"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 111}, "S3.C112": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO32", "retired": "false", "assured_by": "", "depends_on": "S3.C104", "description": "Block any <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/using-access-points.html#access-points-service-api-support\">object-related operations</a> access to S3 bucket not through access point (i.e. using a deny IAM policy statement with the condition \"ArnNotLike\" {\"s3:DataAccessPointArn\": \"arn:aws:s3:<i>Region</i>:<i>AccountId</i>:accesspoint/*\"}).", "testing": "Access any S3 bucket using the S3 public endpoint; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T7", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 32, "queryable_id": 112}, "S3.C113": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO12", "retired": "false", "assured_by": "", "depends_on": "S3.C11", "description": "When transmitting an object to an external bucket with bucket-owner-full-control ACL requirement but without S3 Object Ownership handover, use 2 separate APIs (PutObject and PutObjectAcl) instead of the built-in object ACL operation in PutObject.", "testing": "Request the process on ensuring that PutObject requests on external bucket with bucket-owner-full-control ACL requirement but without S3 Object Ownership handover use 2 separate APIs.", "effort": "Medium", "mitigate": [{"threat": "S3.T43", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "High"}], "feature_class": ["S3.FC1"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 12, "queryable_id": 113}, "S3.C114": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO5", "retired": "false", "assured_by": "", "depends_on": "S3.C11", "description": "For all external buckets with bucket-owner-full-control ACL requirement but without S3 Object Ownership handover, block the PutObject with any ACL (e.g. using IAM or SCP and a deny on the condition \"StringLike\": {\"s3:x-amz-acl\": \"*\"}). It should be called via PutObjectAcl.", "testing": "Make a request to an external bucket with bucket-owner-full-control ACL requirement but without S3 Object Ownership handover requirement; it should be denied.", "effort": "High", "mitigate": [{"threat": "S3.T43", "impact": "Very High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "High"}], "feature_class": ["S3.FC1"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 5, "queryable_id": 114}, "S3.C115": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO5", "retired": "false", "assured_by": "", "depends_on": "S3.C11", "description": "For all external bucket with bucket-owner-full-control ACL requirements but without S3 Object Ownership handover, monitor that the PutObject do not include the ACL operation.", "testing": "Make a request to an external bucket with bucket-owner-full-control ACL requirement but without S3 Object Ownership handover requirement; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T43", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "High"}], "feature_class": ["S3.FC1"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 5, "queryable_id": 115}, "S3.C116": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor abnormal behavior on replication CloudWatch metrics (i.e. <i>BytesPendingReplication</i>, <i>OperationsPendingReplication</i>, and <i>OperationFailedReplication</i>).", "testing": "Create an abnormal replication, or block a replication; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T2", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T49", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}], "feature_class": ["S3.FC15"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 25, "queryable_id": 116}, "S3.C117": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO25", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all replicated buckets have metrics enabled on each replication rule (included by default in S3 RTC).", "testing": "Modify the replication metric of an authorized replication; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC15"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 25, "queryable_id": 117}, "S3.C118": {"coso": "Directive", "nist_csf": "Detect", "objective": "S3.CO4", "retired": "false", "assured_by": "", "depends_on": "", "description": "Enable <a href=\"https://docs.aws.amazon.com/macie/latest/user/findings-types.html#findings-policy-types\">S3 policy findings in Amazon Macie</a> in all AWS accounts in all Regions, and protect it using Macie ThreatModel.", "testing": "Request the Macie ThreatModel and the evidence of its application for enabling and protecting S3 policy findings.", "effort": "Very Low", "mitigate": [{"threat": "S3.T2", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T4", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T22", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Low"}, {"threat": "S3.T36", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}, {"threat": "S3.T38", "impact": "Medium", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC10", "S3.FC15", "S3.FC5", "S3.FC8"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 4, "queryable_id": 118}, "S3.C119": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO1", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized version(s) of TLS/SSL per bucket (or per account/OU/Org).", "testing": "Request the list of authorized version(s) of TLS/SSL per bucket (or per account/OU/Org), its review mechanism and associated records.", "effort": "Low", "mitigate": [{"threat": "S3.T12", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T34", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 1, "queryable_id": 119}, "S3.C120": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO33", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of IAM roles used for Batch job, ideally dedicated (e.g. using change management process on infrastructure-as-code).", "testing": "Request the list of all IAM roles configured for Batch job.", "effort": "Medium", "mitigate": [{"threat": "S3.T44", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC27"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 33, "queryable_id": 120}, "S3.C139": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO33", "retired": "false", "assured_by": "S3.C123", "depends_on": "S3.C120", "description": "Ensure only an authorized IAM role is attached on each Batch job.", "testing": "Request the mechanism ensuring only an authorized IAM role is attached on each Batch job, and the evidence of its execution for all new {resource}.", "effort": "Medium", "mitigate": [{"threat": "S3.T44", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC27"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 33, "queryable_id": 139}, "S3.C121": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO33", "retired": "false", "assured_by": "", "depends_on": "S3.C120", "description": "Limit the access to only required resources/permissions (e.g. source/destination bucket, Lambda functions) of each authorized IAM role configured for Batch jobs.", "testing": "Request the access to only required resources/permissions for each Batch IAM role, and how they aligned to the replication requirements.", "effort": "Medium", "mitigate": [{"threat": "S3.T44", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC27"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 33, "queryable_id": 121}, "S3.C122": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO33", "retired": "false", "assured_by": "", "depends_on": "S3.C120", "description": "Limit access to authorized IAM roles used for Batch job, using the IAM ThreatModel (e.g. trust policy, and \"iam:PassRole\").", "testing": "Request the IAM ThreatModel and the evidence of its application to the IAM roles used for Batch job.", "effort": "Medium", "mitigate": [{"threat": "S3.T44", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC27"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 33, "queryable_id": 122}, "S3.C123": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO33", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only the authorized IAM role is configured for each Batch job.", "testing": "Create/modify a Batch job with an unauthorized IAM role; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC27"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 33, "queryable_id": 123}, "S3.C124": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO7", "retired": "false", "assured_by": "", "depends_on": "", "description": "Ensure all S3 VPC endpoints (Interface and Gateway) are covered by the VPC endpoints controls.", "testing": "Request the mechanism ensuring all S3 VPC endpoints (Interface and Gateway) are covered by the VPC endpoints controls, and its records.", "effort": "Low", "mitigate": [{"threat": "S3.T45", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC1"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 7, "queryable_id": 124}, "S3.C125": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO34", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized Lambda function for each Object Lambda Access Point, its associated access point, its associated HEAD/LIST/GET request(s), and payload.", "testing": "Request the list of authorized Lambda function for each Object Lambda Access Point, its associated access point, its associated HEAD/LIST/GET request(s), and payload, its review process, and its review records.", "effort": "Low", "mitigate": [{"threat": "S3.T46", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC32"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 34, "queryable_id": 125}, "S3.C126": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO34", "retired": "false", "assured_by": "S3.C127", "depends_on": "S3.C125", "description": "Ensure only authorized Lambda function for each Object Lambda Access Point, its associated access point, its associated HEAD/LIST/GET request(s), and payload are created.", "testing": "Request the mechanism ensuring only authorized Lambda function for each Object Lambda Access Point, its associated access point, its associated HEAD/LIST/GET request(s), and payload, and the evidence of its execution.", "effort": "Medium", "mitigate": [{"threat": "S3.T46", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC32"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 34, "queryable_id": 126}, "S3.C127": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO34", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only the authorized Lambda function are configured on each Object Lambda Access Point, its associated access point, its associated HEAD/LIST/GET request(s), and payload.", "testing": "Attach 1) an unauthorized Lambda function on an Object Lambda Access Point, 2) an unauthorized Object Lambda Access Point to an access point, 3) an authorized Lambda function with an unauthorized HEAD/LIST/GET request on an Object Lambda Access Point, and 4) an authorized Lambda function with an unauthorized payload; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC32"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 34, "queryable_id": 127}, "S3.C128": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO34", "retired": "false", "assured_by": "", "depends_on": "", "description": "Ensure Lambda functions configured on Object Lambda Access Point are secured using Lambda ThreatModel.", "testing": "Request the mechanism ensuring Lambda ThreatModel and its application for Lambda functions associated to Object Lambda Access Point, and its records of execution.", "effort": "Medium", "mitigate": [{"threat": "S3.T46", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC32"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 34, "queryable_id": 128}, "S3.C129": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO34", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of cross-account access on each Object Lambda Access Point.", "testing": "Request the list of authorized cross-account access for each Object Lambda Access Point, its review process, and its review records.", "effort": "Very Low", "mitigate": [{"threat": "S3.T46", "impact": "Very Low", "priority": 1.0, "max_dependency": 2.0, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC32"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 34, "queryable_id": 129}, "S3.C130": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO34", "retired": "false", "assured_by": "S3.C131", "depends_on": "S3.C129", "description": "Ensure only authorized cross-account IAM entities are allowed in the Object Lambda Access Point policy.", "testing": "Request the mechanism ensuring only cross-account IAM entities are allowed in the Object Lambda Access Point policy, and the evidence of its execution.", "effort": "Low", "mitigate": [{"threat": "S3.T46", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC32"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 34, "queryable_id": 130}, "S3.C131": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO34", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only the authorized cross-account IAM entities are allowed in the Object Lambda Access Point policy.", "testing": "Add 1) an unauthorized cross-account IAM entity on an Object Lambda Access Point policy; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC32"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 34, "queryable_id": 131}, "S3.C132": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO34", "retired": "false", "assured_by": "S3.C133", "depends_on": "", "description": "Ensure CloudWatch is enabled for all Object Lambda Access Points.", "testing": "Request the mechanism ensuring CloudWatch is enabled for all Object Lambda Access Points, and its records of execution.", "effort": "Low", "mitigate": [{"threat": "S3.T46", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC32"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 34, "queryable_id": 132}, "S3.C133": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO34", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify CloudWatch is enabled for all Object Lambda Access Points.", "testing": "Create an Object Lambda Access Point without CloudWatch enabled; it should be detected.", "effort": "Low", "mitigate": [], "feature_class": ["S3.FC32"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 34, "queryable_id": 133}, "S3.C141": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO35", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized buckets to be configured as a S3 website endpoint.", "testing": "Request the list of authorized buckets to be configured as a website endpoint, its review process, and its review records.", "effort": "Low", "mitigate": [{"threat": "S3.T13", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Low"}, {"threat": "S3.T29", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC16"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 35, "queryable_id": 141}, "S3.C142": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO35", "retired": "false", "assured_by": "S3.C143", "depends_on": "S3.C141", "description": "Ensure only authorized buckets are configured as a S3 website endpoint.", "testing": "Request 1) the mechanism ensuring only authorized buckets are configured as a S3 website endpoint, 2) its records of execution for all new website-enabled buckets, and 3) the plan to move any older website-enabled buckets.", "effort": "Medium", "mitigate": [{"threat": "S3.T13", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}, {"threat": "S3.T29", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC16"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 35, "queryable_id": 142}, "S3.C143": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO35", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only authorized buckets are configured as S3 website endpoints.", "testing": "Enable static website hosting on an unauthorized bucket; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC16"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 35, "queryable_id": 143}, "S3.C144": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO35", "retired": "false", "assured_by": "", "depends_on": "S3.C141", "description": "Ensure S3 website endpoints are protected with HTTP headers (<a href=\"https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/\">ref</a>) using a CDN (e.g. CloudFront).", "testing": "Request the mechanism ensuring S3 website endpoints are protected with HTTP headers.", "effort": "Medium", "mitigate": [{"threat": "S3.T13", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Low"}, {"threat": "S3.T29", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC16"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 35, "queryable_id": 144}, "S3.C145": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of buckets (or paths) required to be encrypted with server-side encryption with customer-provided keys (SSE-C).", "testing": "Request the list of buckets (or paths) required to be encrypted with server-side encryption with customer-provided keys (SSE-C), its review process, and its review records.", "effort": "Medium", "mitigate": [{"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T20", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC10", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 16, "queryable_id": 145}, "S3.C146": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO16", "retired": "false", "assured_by": "S3.C147", "depends_on": "S3.C145", "description": "For buckets (or paths) requiring SSE-C, block PutObject requests with unauthorized encryption (e.g. using an S3 bucket policy deny statement on PutObject if the condition \"s3:x-amz-server-side-encryption-customer-algorithm\"=\"AES256\" is not present).", "testing": "Make a request to a bucket (or path) requiring SSE-C without the proper encryption; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T11", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T20", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T37", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC10", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 16, "queryable_id": 146}, "S3.C147": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "", "description": "For buckets (or paths) requiring SSE-C, verify all buckets block PutObject requests with unauthorized encryption.", "testing": "Create a bucket requiring SSE-C not blocking PutObject requests with unauthorized encryption; it should be detected.", "effort": "High", "mitigate": [], "feature_class": ["S3.FC10", "S3.FC5"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 16, "queryable_id": 147}, "S3.C148": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "S3.C145", "description": "For buckets (or paths) requiring SSE-C, monitor that only authorized encryption is used on each bucket or path (using CloudTrail S3 data events in <i>requestParameter.bucketName</i> and <i>response.x-amz-server-side-encryption-customer-algorithm</i>).", "testing": "Make a request to a bucket (or path) requiring SSE-C without the proper encryption; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T16", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T30", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 16, "queryable_id": 148}, "S3.C149": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO8", "retired": "false", "assured_by": "", "depends_on": "", "description": "For each bucket, maintain a list of authorized IAM principals allowed to access via bucket policy.", "testing": "Request the list of authorized a list of authorized IAM principals allowed to access via bucket policy, its review process, and its review records.", "effort": "Medium", "mitigate": [{"threat": "S3.T37", "impact": "Very Low", "priority": 0.0, "max_dependency": 4.0, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC10"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 8, "queryable_id": 149}, "S3.C150": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO8", "retired": "false", "assured_by": "S3.C151", "depends_on": "S3.C149", "description": "Ensure only authorized a list of authorized IAM principals allowed to access via bucket policy are configured (e.g. using IAM Access Analyzer for the reconciliation).", "testing": "Request 1) the mechanism ensuring only authorized IAM principals allowed to access via bucket policy are configured, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets.", "effort": "Medium", "mitigate": [{"threat": "S3.T37", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC10"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 8, "queryable_id": 150}, "S3.C151": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO8", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only authorized IAM principals allowed to access via bucket policy are used (e.g. using the AWS Config rule <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-grantee-check.html\">S3_BUCKET_POLICY_GRANTEE_CHECK</a>).", "testing": "Allow an unauthorized IAM principal on a bucket policy; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC10"], "weighted_priority": "High", "weighted_priority_score": 3, "queryable_objective_id": 8, "queryable_id": 151}, "S3.C152": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO37", "retired": "false", "assured_by": "S3.C154", "depends_on": "", "description": "Ensure bucket ACL and object ACL are disabled on each bucket (enable by default for all new buckets after April 2023).", "testing": "Request 1) the mechanism ensuring bucket ACL and object ACL are disabled on each bucket, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets.", "effort": "Medium", "mitigate": [{"threat": "S3.T4", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T6", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T43", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "High"}, {"threat": "S3.T52", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T53", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC24", "S3.FC25", "S3.FC5", "S3.FC8"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 37, "queryable_id": 152}, "S3.C153": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO37", "retired": "false", "assured_by": "", "depends_on": "", "description": "Prevent the creation of buckets with ACL enabled (e.g. by using a SCP and/or an IAM policy on \"s3:CreateBucket\" with a deny statement on StringNotEquals \"s3:x-amz-object-ownership\":\"BucketOwnerEnforced\"). Note that it does not block someone from enabling an ACL afterward via PutPutBucketOwnershipControls.", "testing": "Create a bucket to enable ACL; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T4", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T6", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T36", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T43", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "High"}, {"threat": "S3.T52", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}, {"threat": "S3.T53", "impact": "High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC24", "S3.FC25", "S3.FC5", "S3.FC8"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 37, "queryable_id": 153}, "S3.C154": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO37", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify bucket ACL and object ACL are disabled on each bucket (e.g. using the AWS Config rule <a href=\"https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html\">S3_BUCKET_ACL_PROHIBITED</a> for bucket ACL, <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_metrics_glossary.html\">S3 Storage Lens</a> ObjectOwnershipBucketOwnerEnforcedBucketCount, or S3 Inventory which include object ACL metadata).", "testing": "Create/modify a bucket to enable ACL; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC1", "S3.FC24", "S3.FC25", "S3.FC5", "S3.FC8"], "weighted_priority": "Very High", "weighted_priority_score": 4, "queryable_objective_id": 37, "queryable_id": 154}, "S3.C155": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO38", "retired": "false", "assured_by": "S3.C156", "depends_on": "", "description": "Ensure all requests are blocked from unauthorized service roles (e.g. by denying all requests with the principal \"arn:aws:iam::*:*/AWSServiceRoleFor*\" on S3 bucket policies).", "testing": "Request 1) the mechanism ensuring only authorized service roles can access each bucket, 2) its records of execution for all new bucket, and 3) the plan to move any older bucket.", "effort": "Low", "mitigate": [{"threat": "S3.T57", "impact": "Very High", "priority": 4.0, "max_dependency": null, "priority_overall": 4.0, "cvss": "Low"}], "feature_class": ["S3.FC28"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 38, "queryable_id": 155}, "S3.C156": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO38", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify all requests are blocked from unauthorized service roles.", "testing": "Remove the statement on a S3 bucket policy denying all unauthorized service roles; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC28"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 38, "queryable_id": 156}, "S3.C157": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO39", "retired": "false", "assured_by": "", "depends_on": "", "description": "Monitor PutBucketLogging to detect bucket logging changes, including deactivation and bucket change (i.e. using CloudTrail event \"PutBucketLogging\" and \"requestParameters.BucketLoggingStatus\" field to examine the lack of \"LoggingEnabled\" key or an unauthorized bucket in \"requestParameters.BucketLoggingStatus.LoggingEnabled.TargetBucket\").", "testing": "Make a call to 1) disable bucket logging, or 2) change to an unauthorized bucket; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T59", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Low"}], "feature_class": ["S3.FC19"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 39, "queryable_id": 157}, "S3.C158": {"coso": "Directive", "nist_csf": "Identify", "objective": "S3.CO40", "retired": "false", "assured_by": "", "depends_on": "", "description": "Maintain a list of authorized S3 buckets and their AWS account for cross-account access points.", "testing": "Request the list of authorized S3 buckets and their AWS account for cross-account access points, its review process, and its review records.", "effort": "Low", "mitigate": [{"threat": "S3.T60", "impact": "Very Low", "priority": 0.0, "max_dependency": 3.0, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC26"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 40, "queryable_id": 158}, "S3.C159": {"coso": "Directive", "nist_csf": "Protect", "objective": "S3.CO40", "retired": "false", "assured_by": "S3.C161", "depends_on": "S3.C158", "description": "Ensure only authorized S3 buckets and their AWS account for cross-account access points are configured.", "testing": "Request 1) the mechanism ensuring only authorized S3 buckets and their AWS account for cross-account access points are configured, 2) its records of execution for all new S3 buckets and their AWS account for cross-account access points, and 3) the plan to move any older S3 buckets and their AWS account for cross-account access points.", "effort": "Medium", "mitigate": [{"threat": "S3.T60", "impact": "High", "priority": 3.0, "max_dependency": null, "priority_overall": 3.0, "cvss": "Medium"}], "feature_class": ["S3.FC26"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 40, "queryable_id": 159}, "S3.C160": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO40", "retired": "false", "assured_by": "", "depends_on": "S3.C158", "description": "Monitor CreateAccessPoint to detect unauthorized buckets or AWS accounts (i.e. using CloudTrail event CreateAccessPoint and its fields \"requestParameters.CreateAccessPointRequest.Bucket\" and \"requestParameters.CreateAccessPointRequest.BucketAccountId\").", "testing": "Call the API to create a cross-account access point with an unauthorized 1) bucket or 2) an authorized bucket in an unauthorized AWS account; it should be detected.", "effort": "Medium", "mitigate": [{"threat": "S3.T60", "impact": "Medium", "priority": 2.0, "max_dependency": null, "priority_overall": 2.0, "cvss": "Medium"}], "feature_class": ["S3.FC26"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 40, "queryable_id": 160}, "S3.C161": {"coso": "Assurance", "nist_csf": "Detect", "objective": "S3.CO40", "retired": "false", "assured_by": "", "depends_on": "", "description": "Verify only authorized S3 buckets and their AWS account for cross-account access points are used.", "testing": "Deploy a cross-account access point with an unauthorized 1) bucket or 2) an authorized bucket in an unauthorized AWS account; it should be detected.", "effort": "Medium", "mitigate": [], "feature_class": ["S3.FC26"], "weighted_priority": "Medium", "weighted_priority_score": 2, "queryable_objective_id": 40, "queryable_id": 161}, "S3.C162": {"coso": "Preventative", "nist_csf": "Protect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "S3.C58", "description": "Block requests not using DSSE-KMS when required (e.g. by using an SCP and/or an IAM policy on requestParameter.bucketName with a deny statement on \"s3:x-amz-server-side-encryption\" = \"aws:kms:dsse\").", "testing": "Make a request not using DSSE-KMS on a required S3 bucket; it should be denied.", "effort": "Low", "mitigate": [{"threat": "S3.T5", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "Low", "priority": 1.0, "max_dependency": null, "priority_overall": 1.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Low", "weighted_priority_score": 1, "queryable_objective_id": 16, "queryable_id": 162}, "S3.C163": {"coso": "Detective", "nist_csf": "Detect", "objective": "S3.CO16", "retired": "false", "assured_by": "", "depends_on": "S3.C58", "description": "Monitor requests not using DSSE-KMS when required (e.g. using CloudTrail log event name(s) CloudTrail S3 data events with field(s) requestParameter.bucketName and \"response.x-amz-server-side-encryption-aws\").", "testing": "Make a request not using DSSE-KMS on a required S3 bucket; it should be detected.", "effort": "Low", "mitigate": [{"threat": "S3.T5", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T7", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T8", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T11", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}, {"threat": "S3.T31", "impact": "Very Low", "priority": 0.0, "max_dependency": null, "priority_overall": 0.0, "cvss": "Medium"}], "feature_class": ["S3.FC1", "S3.FC5"], "weighted_priority": "Very Low", "weighted_priority_score": 0, "queryable_objective_id": 16, "queryable_id": 163}}, "actions": {"S3.A1": {"action_description": "Aborts a multipart upload.", "api": "AbortMultipartUpload", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:AbortMultipartUpload", "event_name": "AbortMultipartUpload", "stage": "ga", "action_id_int": 1}, "S3.A2": {"action_description": "Grants permission to allow circumvention of governance-mode object retention settings (for DeleteObject, DeleteObjects and PutObjectRetention).", "api": "-", "endpoint": "s3", "feature_class": "S3.FC17", "feature_class_action_type": "core", "iam_permission": "s3:BypassGovernanceRetention", "event_name": "-", "stage": "ga", "action_id_int": 2}, "S3.A3": {"action_description": "Completes a multipart upload by assembling previously uploaded parts.", "api": "CompleteMultipartUpload", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:PutObject", "event_name": "CompleteMultipartUpload", "stage": "ga", "action_id_int": 3}, "S3.A4": {"action_description": "Creates a copy of an object that is already stored in Amazon S3.", "api": "CopyObject", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:GetObject,s3:PutObject", "event_name": "CopyObject", "stage": "ga", "action_id_int": 4}, "S3.A5": {"action_description": "Creates a new bucket.", "api": "CreateBucket", "endpoint": "s3", "feature_class": "S3.FC5", "feature_class_action_type": "core", "iam_permission": "s3:CreateBucket", "event_name": "CreateBucket", "stage": "ga", "action_id_int": 5}, "S3.A6": {"action_description": "Initiates a multipart upload and returns an upload ID.", "api": "CreateMultipartUpload", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:GetObject,s3:PutObject", "event_name": "CreateMultipartUpload", "stage": "ga", "action_id_int": 6}, "S3.A7": {"action_description": "Deletes the bucket. All objects (including all object versions and delete markers) in the bucket must be deleted before the bucket itself can be deleted.", "api": "DeleteBucket", "endpoint": "s3", "feature_class": "S3.FC5", "feature_class_action_type": "other", "iam_permission": "s3:DeleteBucket", "event_name": "DeleteBucket", "stage": "ga", "action_id_int": 7}, "S3.A8": {"action_description": "Deletes an analytics configuration for the bucket.", "api": "DeleteBucketAnalyticsConfiguration", "endpoint": "s3", "feature_class": "S3.FC11", "feature_class_action_type": "other", "iam_permission": "s3:PutAnalyticsConfiguration", "event_name": "DeleteBucketAnalyticsConfiguration", "stage": "ga", "action_id_int": 8}, "S3.A9": {"action_description": "Deletes the CORS configuration information set for the bucket.", "api": "DeleteBucketCors", "endpoint": "s3", "feature_class": "S3.FC22", "feature_class_action_type": "other", "iam_permission": "s3:PutBucketCORS", "event_name": "DeleteBucketCors", "stage": "ga", "action_id_int": 9}, "S3.A10": {"action_description": "Removes default encryption from the bucket.", "api": "DeleteBucketEncryption", "endpoint": "s3", "feature_class": "S3.FC23", "feature_class_action_type": "other", "iam_permission": "s3:PutEncryptionConfiguration", "event_name": "DeleteBucketEncryption", "stage": "ga", "action_id_int": 10}, "S3.A11": {"action_description": "Deletes an inventory configuration from the bucket.", "api": "DeleteBucketInventoryConfiguration", "endpoint": "s3", "feature_class": "S3.FC12", "feature_class_action_type": "other", "iam_permission": "s3:PutInventoryConfiguration", "event_name": "DeleteBucketInventoryConfiguration", "stage": "ga", "action_id_int": 11}, "S3.A12": {"action_description": "Deletes the lifecycle configuration from the bucket.", "api": "DeleteBucketLifecycle", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "other", "iam_permission": "s3:PutLifecycleConfiguration", "event_name": "DeleteBucketLifecycle", "stage": "ga", "action_id_int": 12}, "S3.A13": {"action_description": "Deletes a metrics configuration for the Amazon CloudWatch request metrics (specified by the metrics configuration ID) from the bucket. Note that this doesn't include the daily storage metrics.", "api": "DeleteBucketMetricsConfiguration", "endpoint": "s3", "feature_class": "S3.FC14", "feature_class_action_type": "other", "iam_permission": "s3:PutMetricsConfiguration", "event_name": "DeleteBucketMetricsConfiguration", "stage": "ga", "action_id_int": 13}, "S3.A14": {"action_description": "Deletes the policy on a specified bucket.", "api": "DeleteBucketPolicy", "endpoint": "s3", "feature_class": "S3.FC10", "feature_class_action_type": "other", "iam_permission": "s3:DeleteBucketPolicy", "event_name": "DeleteBucketPolicy", "stage": "ga", "action_id_int": 14}, "S3.A15": {"action_description": "Deletes the replication configuration from the bucket.", "api": "DeleteBucketReplication", "endpoint": "s3", "feature_class": "S3.FC15", "feature_class_action_type": "other", "iam_permission": "s3:PutReplicationConfiguration", "event_name": "DeleteBucketReplication", "stage": "ga", "action_id_int": 15}, "S3.A16": {"action_description": "Deletes the tags from the bucket.", "api": "DeleteBucketTagging", "endpoint": "s3", "feature_class": "S3.FC7", "feature_class_action_type": "other", "iam_permission": "s3:PutBucketTagging", "event_name": "DeleteBucketTagging", "stage": "ga", "action_id_int": 16}, "S3.A17": {"action_description": "Removes the website configuration for a bucket.", "api": "DeleteBucketWebsite", "endpoint": "s3", "feature_class": "S3.FC16", "feature_class_action_type": "other", "iam_permission": "s3:DeleteBucketWebsite", "event_name": "DeleteBucketWebsite", "stage": "ga", "action_id_int": 17}, "S3.A18": {"action_description": "Deletes an object permanently (non-versioned bucket) or inserts a delete marker (versioned bucket).", "api": "DeleteObject", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "core", "iam_permission": "s3:DeleteObject", "event_name": "DeleteObject", "stage": "ga", "action_id_int": 18}, "S3.A19": {"action_description": "Permanently deletes an object or a delete marker from a bucket.", "api": "DeleteObject(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC3", "feature_class_action_type": "other", "iam_permission": "s3:DeleteObjectVersion", "event_name": "DeleteObject", "stage": "ga", "action_id_int": 19}, "S3.A20": {"action_description": "Deletes multiple objects permanently (non-versioned bucket) or inserts delete markers (versioned bucket).", "api": "DeleteObjects", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:DeleteObject", "event_name": "DeleteObjects", "stage": "ga", "action_id_int": 20}, "S3.A21": {"action_description": "Permanently deletes multiple objects or delete markers from a bucket.", "api": "DeleteObjects(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC3", "feature_class_action_type": "other", "iam_permission": "s3:DeleteObjectVersion", "event_name": "DeleteObjects", "stage": "ga", "action_id_int": 21}, "S3.A22": {"action_description": "Removes the entire tag set from the specified object.", "api": "DeleteObjectTagging", "endpoint": "s3", "feature_class": "S3.FC2", "feature_class_action_type": "other", "iam_permission": "s3:DeleteObjectTagging", "event_name": "DeleteObjectTagging", "stage": "ga", "action_id_int": 22}, "S3.A23": {"action_description": "Removes the entire tag set from the specified object version.", "api": "DeleteObjectTagging(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC4", "feature_class_action_type": "other", "iam_permission": "s3:DeleteObjectVersionTagging", "event_name": "DeleteObjectTagging", "stage": "ga", "action_id_int": 23}, "S3.A24": {"action_description": "Removes the PublicAccessBlock configuration for an Amazon S3 bucket.", "api": "DeletePublicAccessBlock", "endpoint": "s3", "feature_class": "S3.FC24", "feature_class_action_type": "other", "iam_permission": "s3:PutBucketPublicAccessBlock", "event_name": "DeletePublicAccessBlock", "stage": "ga", "action_id_int": 24}, "S3.A25": {"action_description": "Returns the Transfer Acceleration state of a bucket, which is either \"Enabled\" or \"Suspended\".", "api": "GetBucketAccelerateConfiguration", "endpoint": "s3", "feature_class": "S3.FC18", "feature_class_action_type": "other", "iam_permission": "s3:GetAccelerateConfiguration", "event_name": "GetBucketAccelerateConfiguration", "stage": "ga", "action_id_int": 25}, "S3.A26": {"action_description": "Returns the Access Control List (ACL) of a bucket.", "api": "GetBucketAcl", "endpoint": "s3", "feature_class": "S3.FC8", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketAcl", "event_name": "GetBucketAcl", "stage": "ga", "action_id_int": 26}, "S3.A27": {"action_description": "Returns an analytics configuration from the bucket.", "api": "GetBucketAnalyticsConfiguration", "endpoint": "s3", "feature_class": "S3.FC11", "feature_class_action_type": "other", "iam_permission": "s3:GetAnalyticsConfiguration", "event_name": "GetBucketAnalyticsConfiguration", "stage": "ga", "action_id_int": 27}, "S3.A28": {"action_description": "Returns the CORS configuration information set for the bucket.", "api": "GetBucketCors", "endpoint": "s3", "feature_class": "S3.FC22", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketCORS", "event_name": "GetBucketCors", "stage": "ga", "action_id_int": 28}, "S3.A29": {"action_description": "Returns the default encryption configuration for an Amazon S3 bucket.", "api": "GetBucketEncryption", "endpoint": "s3", "feature_class": "S3.FC23", "feature_class_action_type": "other", "iam_permission": "s3:GetEncryptionConfiguration", "event_name": "GetBucketEncryption", "stage": "ga", "action_id_int": 29}, "S3.A30": {"action_description": "Returns an inventory configuration from the bucket.", "api": "GetBucketInventoryConfiguration", "endpoint": "s3", "feature_class": "S3.FC12", "feature_class_action_type": "other", "iam_permission": "s3:GetInventoryConfiguration", "event_name": "GetBucketInventoryConfiguration", "stage": "ga", "action_id_int": 30}, "S3.A31": {"action_description": "Returns the lifecycle configuration information set on the bucket.", "api": "GetBucketLifecycle", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "other", "iam_permission": "s3:GetLifecycleConfiguration", "event_name": "GetBucketLifecycle", "stage": "deprecated", "action_id_int": 31}, "S3.A32": {"action_description": "Returns the lifecycle configuration information set on the bucket.", "api": "GetBucketLifecycleConfiguration", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "other", "iam_permission": "s3:GetLifecycleConfiguration", "event_name": "GetBucketLifecycleConfiguration", "stage": "ga", "action_id_int": 32}, "S3.A33": {"action_description": "Returns a bucket's region.", "api": "GetBucketLocation", "endpoint": "s3", "feature_class": "S3.FC5", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketLocation", "event_name": "GetBucketLocation", "stage": "ga", "action_id_int": 33}, "S3.A34": {"action_description": "Returns the logging status of a bucket and the permissions users have to view and modify that status.", "api": "GetBucketLogging", "endpoint": "s3", "feature_class": "S3.FC19", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketLogging", "event_name": "GetBucketLogging", "stage": "ga", "action_id_int": 34}, "S3.A35": {"action_description": "Gets a metrics configuration from the bucket.", "api": "GetBucketMetricsConfiguration", "endpoint": "s3", "feature_class": "S3.FC14", "feature_class_action_type": "other", "iam_permission": "s3:GetMetricsConfiguration", "event_name": "GetBucketMetricsConfiguration", "stage": "ga", "action_id_int": 35}, "S3.A36": {"action_description": "Returns the notification configuration of a bucket.", "api": "GetBucketNotification", "endpoint": "s3", "feature_class": "S3.FC20", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketNotification", "event_name": "GetBucketNotification", "stage": "deprecated", "action_id_int": 36}, "S3.A37": {"action_description": "Returns the notification configuration of a bucket.", "api": "GetBucketNotificationConfiguration", "endpoint": "s3", "feature_class": "S3.FC20", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketNotification", "event_name": "GetBucketNotificationConfiguration", "stage": "ga", "action_id_int": 37}, "S3.A38": {"action_description": "Returns the policy of a specified bucket.", "api": "GetBucketPolicy", "endpoint": "s3", "feature_class": "S3.FC10", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketPolicy", "event_name": "GetBucketPolicy", "stage": "ga", "action_id_int": 38}, "S3.A39": {"action_description": "Retrieves the policy status for an Amazon S3 bucket, indicating whether the bucket is public.", "api": "GetBucketPolicyStatus", "endpoint": "s3", "feature_class": "S3.FC10", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketPolicyStatus", "event_name": "GetBucketPolicyStatus", "stage": "ga", "action_id_int": 39}, "S3.A40": {"action_description": "Returns the replication configuration of a bucket.", "api": "GetBucketReplication", "endpoint": "s3", "feature_class": "S3.FC15", "feature_class_action_type": "other", "iam_permission": "s3:GetReplicationConfiguration", "event_name": "GetBucketReplication", "stage": "ga", "action_id_int": 40}, "S3.A41": {"action_description": "Returns the request payment configuration of a bucket.", "api": "GetBucketRequestPayment", "endpoint": "s3", "feature_class": "S3.FC5", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketRequestPayment", "event_name": "GetBucketRequestPayment", "stage": "ga", "action_id_int": 41}, "S3.A42": {"action_description": "Returns the tag set associated with the bucket.", "api": "GetBucketTagging", "endpoint": "s3", "feature_class": "S3.FC7", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketTagging", "event_name": "GetBucketTagging", "stage": "ga", "action_id_int": 42}, "S3.A43": {"action_description": "Returns the versioning state of a bucket.", "api": "GetBucketVersioning", "endpoint": "s3", "feature_class": "S3.FC6", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketVersioning", "event_name": "GetBucketVersioning", "stage": "ga", "action_id_int": 43}, "S3.A44": {"action_description": "Returns the website configuration for a bucket.", "api": "GetBucketWebsite", "endpoint": "s3", "feature_class": "S3.FC16", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketWebsite", "event_name": "GetBucketWebsite", "stage": "ga", "action_id_int": 44}, "S3.A45": {"action_description": "Retrieves an object from Amazon S3.", "api": "GetObject", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "core", "iam_permission": "s3:GetObject", "event_name": "GetObject", "stage": "ga", "action_id_int": 45}, "S3.A46": {"action_description": "Retrieves an object version from Amazon S3.", "api": "GetObject(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC3", "feature_class_action_type": "core", "iam_permission": "s3:GetObjectVersion", "event_name": "GetObject", "stage": "ga", "action_id_int": 46}, "S3.A47": {"action_description": "Returns ACL information about an object.", "api": "GetObjectAcl", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectAcl", "event_name": "GetObjectAcl", "stage": "ga", "action_id_int": 47}, "S3.A48": {"action_description": "Returns ACL information about an object version, use the versionId subresource.", "api": "GetObjectAcl(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC9", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectVersionAcl", "event_name": "GetObjectAcl", "stage": "ga", "action_id_int": 48}, "S3.A49": {"action_description": "Gets Object Lock legal hold for a specific object.", "api": "GetObjectLegalHold", "endpoint": "s3", "feature_class": "S3.FC29", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectLegalHold", "event_name": "GetObjectLegalHold", "stage": "ga", "action_id_int": 49}, "S3.A50": {"action_description": "Gets the default S3 Object Lock configuration for a bucket.", "api": "GetObjectLockConfiguration", "endpoint": "s3", "feature_class": "S3.FC17", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketObjectLockConfiguration", "event_name": "GetObjectLockConfiguration", "stage": "ga", "action_id_int": 50}, "S3.A51": {"action_description": "Retrieves an object's retention settings.", "api": "GetObjectRetention", "endpoint": "s3", "feature_class": "S3.FC17", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectRetention", "event_name": "GetObjectRetention", "stage": "ga", "action_id_int": 51}, "S3.A52": {"action_description": "Returns the tag-set of an object.", "api": "GetObjectTagging", "endpoint": "s3", "feature_class": "S3.FC2", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectTagging", "event_name": "GetObjectTagging", "stage": "ga", "action_id_int": 52}, "S3.A53": {"action_description": "Returns the tag-set of a specific version of an object.", "api": "GetObjectTagging(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC4", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectVersionTagging", "event_name": "GetObjectTagging", "stage": "ga", "action_id_int": 53}, "S3.A54": {"action_description": "Returns torrent files from an object.", "api": "GetObjectTorrent", "endpoint": "s3", "feature_class": "S3.FC21", "feature_class_action_type": "core", "iam_permission": "s3:GetObjectTorrent", "event_name": "GetObjectTorrent", "stage": "ga", "action_id_int": 54}, "S3.A55": {"action_description": "No documented usage of this action.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC21", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectVersionTorrent", "event_name": "-", "stage": "deprecated", "action_id_int": 55}, "S3.A56": {"action_description": "Grants Amazon S3 the permission to replicate both unencrypted objects and objects encrypted with SSE-S3 or SSE-KMS.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC15", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectVersionForReplication", "event_name": "-", "stage": "ga", "action_id_int": 56}, "S3.A57": {"action_description": "Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.", "api": "GetPublicAccessBlock", "endpoint": "s3", "feature_class": "S3.FC24", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketPublicAccessBlock", "event_name": "GetPublicAccessBlock", "stage": "ga", "action_id_int": 57}, "S3.A58": {"action_description": "Determines if a bucket exists and you have permission to access it.", "api": "HeadBucket", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:HeadBucket", "event_name": "HeadBucket", "stage": "ga", "action_id_int": 58}, "S3.A59": {"action_description": "Retrieves metadata from an object without returning the object itself.", "api": "HeadObject", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:GetObject", "event_name": "HeadObject", "stage": "ga", "action_id_int": 59}, "S3.A60": {"action_description": "Retrieves metadata from an object version without returning the object itself.", "api": "HeadObject(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC3", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectVersion", "event_name": "HeadObject", "stage": "ga", "action_id_int": 60}, "S3.A61": {"action_description": "Lists the analytics configurations for the bucket.", "api": "ListBucketAnalyticsConfigurations", "endpoint": "s3", "feature_class": "S3.FC11", "feature_class_action_type": "other", "iam_permission": "s3:GetAnalyticsConfiguration", "event_name": "ListBucketAnalyticsConfigurations", "stage": "ga", "action_id_int": 61}, "S3.A62": {"action_description": "Returns a list of inventory configurations for the bucket.", "api": "ListBucketInventoryConfigurations", "endpoint": "s3", "feature_class": "S3.FC12", "feature_class_action_type": "other", "iam_permission": "s3:GetInventoryConfiguration", "event_name": "ListBucketInventoryConfigurations", "stage": "ga", "action_id_int": 62}, "S3.A63": {"action_description": "Lists the metrics configurations for the bucket.", "api": "ListBucketMetricsConfigurations", "endpoint": "s3", "feature_class": "S3.FC14", "feature_class_action_type": "other", "iam_permission": "s3:GetMetricsConfiguration", "event_name": "ListBucketMetricsConfigurations", "stage": "ga", "action_id_int": 63}, "S3.A64": {"action_description": "Returns a list of all buckets owned by the authenticated sender of the request.", "api": "ListBuckets", "endpoint": "s3", "feature_class": "S3.FC5", "feature_class_action_type": "other", "iam_permission": "s3:ListAllMyBuckets", "event_name": "ListBuckets", "stage": "ga", "action_id_int": 64}, "S3.A65": {"action_description": "Lists in-progress multipart uploads.", "api": "ListMultipartUploads", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:ListBucketMultipartUploads", "event_name": "ListMultipartUploads", "stage": "ga", "action_id_int": 65}, "S3.A66": {"action_description": "Returns some or all (up to 1000) of the objects in a bucket.", "api": "ListObjects", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:ListBucket", "event_name": "ListObjects", "stage": "deprecated", "action_id_int": 66}, "S3.A67": {"action_description": "Returns some or all (up to 1000) of the objects in a bucket.", "api": "ListObjectsV2", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:ListBucket", "event_name": "ListObjectsV2", "stage": "ga", "action_id_int": 67}, "S3.A68": {"action_description": "Lists metadata about all of the versions of objects in a bucket.", "api": "ListObjectVersions", "endpoint": "s3", "feature_class": "S3.FC3", "feature_class_action_type": "other", "iam_permission": "s3:ListBucketVersions", "event_name": "ListObjectVersions", "stage": "ga", "action_id_int": 68}, "S3.A69": {"action_description": "Lists the parts that have been uploaded for a specific multipart upload.", "api": "ListParts", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:ListMultipartUploadParts", "event_name": "ListParts", "stage": "ga", "action_id_int": 69}, "S3.A70": {"action_description": "Allows Amazon S3 to change the ownership of a replicated object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC15", "feature_class_action_type": "other", "iam_permission": "s3:ObjectOwnerOverrideToBucketOwner", "event_name": "-", "stage": "ga", "action_id_int": 70}, "S3.A71": {"action_description": "Sets the Transfer Acceleration state of an existing bucket.", "api": "PutBucketAccelerateConfiguration", "endpoint": "s3", "feature_class": "S3.FC18", "feature_class_action_type": "core", "iam_permission": "s3:PutAccelerateConfiguration", "event_name": "PutBucketAccelerateConfiguration", "stage": "ga", "action_id_int": 71}, "S3.A72": {"action_description": "Sets the permissions on an existing bucket using Access Control Lists (ACL).", "api": "PutBucketAcl", "endpoint": "s3", "feature_class": "S3.FC8", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketAcl", "event_name": "PutBucketAcl", "stage": "ga", "action_id_int": 72}, "S3.A73": {"action_description": "Adds an analytics configuration (identified by the analytics ID) to the bucket.", "api": "PutBucketAnalyticsConfiguration", "endpoint": "s3", "feature_class": "S3.FC11", "feature_class_action_type": "core", "iam_permission": "s3:PutAnalyticsConfiguration", "event_name": "PutBucketAnalyticsConfiguration", "stage": "ga", "action_id_int": 73}, "S3.A74": {"action_description": "Sets the CORS configuration for your bucket.", "api": "PutBucketCors", "endpoint": "s3", "feature_class": "S3.FC22", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketCORS", "event_name": "PutBucketCors", "stage": "ga", "action_id_int": 74}, "S3.A75": {"action_description": "Sets the default encryption configuration for the bucket.", "api": "PutBucketEncryption", "endpoint": "s3", "feature_class": "S3.FC23", "feature_class_action_type": "core", "iam_permission": "s3:PutEncryptionConfiguration", "event_name": "PutBucketEncryption", "stage": "ga", "action_id_int": 75}, "S3.A76": {"action_description": "Adds an inventory configuration (identified by the inventory ID) to the bucket.", "api": "PutBucketInventoryConfiguration", "endpoint": "s3", "feature_class": "S3.FC12", "feature_class_action_type": "core", "iam_permission": "s3:PutInventoryConfiguration", "event_name": "PutBucketInventoryConfiguration", "stage": "ga", "action_id_int": 76}, "S3.A77": {"action_description": "Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.", "api": "PutBucketLifecycle", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "other", "iam_permission": "s3:PutLifecycleConfiguration", "event_name": "PutBucketLifecycle", "stage": "deprecated", "action_id_int": 77}, "S3.A78": {"action_description": "Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.", "api": "PutBucketLifecycleConfiguration", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "core", "iam_permission": "s3:PutLifecycleConfiguration", "event_name": "PutBucketLifecycleConfiguration", "stage": "ga", "action_id_int": 78}, "S3.A79": {"action_description": "Sets the logging parameters for a bucket.", "api": "PutBucketLogging", "endpoint": "s3", "feature_class": "S3.FC19", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketLogging", "event_name": "PutBucketLogging", "stage": "ga", "action_id_int": 79}, "S3.A80": {"action_description": "Sets or updates a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from the bucket.", "api": "PutBucketMetricsConfiguration", "endpoint": "s3", "feature_class": "S3.FC14", "feature_class_action_type": "core", "iam_permission": "s3:PutMetricsConfiguration", "event_name": "PutBucketMetricsConfiguration", "stage": "ga", "action_id_int": 80}, "S3.A81": {"action_description": "Enables you to receive notifications when certain events happen in your bucket.", "api": "PutBucketNotification", "endpoint": "s3", "feature_class": "S3.FC20", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketNotification", "event_name": "PutBucketNotification", "stage": "deprecated", "action_id_int": 81}, "S3.A82": {"action_description": "Enables you to receive notifications when certain events happen in your bucket.", "api": "PutBucketNotificationConfiguration", "endpoint": "s3", "feature_class": "S3.FC20", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketNotification", "event_name": "PutBucketNotificationConfiguration", "stage": "ga", "action_id_int": 82}, "S3.A83": {"action_description": "Adds to or replaces a policy on a bucket.", "api": "PutBucketPolicy", "endpoint": "s3", "feature_class": "S3.FC10", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketPolicy", "event_name": "PutBucketPolicy", "stage": "ga", "action_id_int": 83}, "S3.A84": {"action_description": "Creates a new replication configuration (or replaces an existing one, if present).", "api": "PutBucketReplication", "endpoint": "s3", "feature_class": "S3.FC15", "feature_class_action_type": "core", "iam_permission": "s3:PutReplicationConfiguration", "event_name": "PutBucketReplication", "stage": "ga", "action_id_int": 84}, "S3.A85": {"action_description": "Sets the request payment configuration of a bucket.", "api": "PutBucketRequestPayment", "endpoint": "s3", "feature_class": "S3.FC5", "feature_class_action_type": "other", "iam_permission": "s3:PutBucketRequestPayment", "event_name": "PutBucketRequestPayment", "stage": "ga", "action_id_int": 85}, "S3.A86": {"action_description": "Adds a set of tags to an existing bucket.", "api": "PutBucketTagging", "endpoint": "s3", "feature_class": "S3.FC7", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketTagging", "event_name": "PutBucketTagging", "stage": "ga", "action_id_int": 86}, "S3.A87": {"action_description": "Sets the versioning state of an existing bucket.", "api": "PutBucketVersioning", "endpoint": "s3", "feature_class": "S3.FC6", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketVersioning", "event_name": "PutBucketVersioning", "stage": "ga", "action_id_int": 87}, "S3.A88": {"action_description": "Sets the configuration of the website that is specified in the website subresource.", "api": "PutBucketWebsite", "endpoint": "s3", "feature_class": "S3.FC16", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketWebsite", "event_name": "PutBucketWebsite", "stage": "ga", "action_id_int": 88}, "S3.A89": {"action_description": "Adds an object to a bucket.", "api": "PutObject", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "core", "iam_permission": "s3:PutObject", "event_name": "PutObject,PostObject", "stage": "ga", "action_id_int": 89}, "S3.A90": {"action_description": "Sets the Access Control List (ACL) permissions for an object. You must have WRITE_ACP permission to set the ACL of an object.", "api": "PutObjectAcl", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "core", "iam_permission": "s3:PutObjectAcl", "event_name": "PutObjectAcl", "stage": "ga", "action_id_int": 90}, "S3.A91": {"action_description": "Sets the Access Control List (ACL) permissions for an object version. You must have WRITE_ACP permission to set the ACL of an object version.", "api": "PutObjectAcl(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC9", "feature_class_action_type": "core", "iam_permission": "s3:PutObjectVersionAcl", "event_name": "PutObjectAcl", "stage": "ga", "action_id_int": 91}, "S3.A92": {"action_description": "Puts Object Lock legal hold on a specific object.", "api": "PutObjectLegalHold", "endpoint": "s3", "feature_class": "S3.FC29", "feature_class_action_type": "core", "iam_permission": "s3:PutObjectLegalHold", "event_name": "PutObjectLegalHold", "stage": "ga", "action_id_int": 92}, "S3.A93": {"action_description": "Allows placing a default S3 Object Lock configuration at bucket creation (AWS Support needs to be contacted for existing buckets). It automatically enables versioning, even without permission.", "api": "PutObjectLockConfiguration", "endpoint": "s3", "feature_class": "S3.FC17", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketObjectLockConfiguration", "event_name": "PutObjectLockConfiguration", "stage": "ga", "action_id_int": 93}, "S3.A94": {"action_description": "Puts object retention on a specific object.", "api": "PutObjectRetention", "endpoint": "s3", "feature_class": "S3.FC17", "feature_class_action_type": "core", "iam_permission": "s3:PutObjectRetention", "event_name": "PutObjectRetention", "stage": "ga", "action_id_int": 94}, "S3.A95": {"action_description": "Adds a set of tags to an existing object.", "api": "PutObjectTagging", "endpoint": "s3", "feature_class": "S3.FC2", "feature_class_action_type": "core", "iam_permission": "s3:PutObjectTagging", "event_name": "PutObjectTagging", "stage": "ga", "action_id_int": 95}, "S3.A96": {"action_description": "Adds a set of tags to an existing object version.", "api": "PutObjectTagging(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC4", "feature_class_action_type": "core", "iam_permission": "s3:PutObjectVersionTagging", "event_name": "PutObjectVersionTagging", "stage": "ga", "action_id_int": 96}, "S3.A97": {"action_description": "Creates or modifies the PublicAccessBlock configuration for an Amazon S3 bucket.", "api": "PutPublicAccessBlock", "endpoint": "s3", "feature_class": "S3.FC24", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketPublicAccessBlock", "event_name": "PutPublicAccessBlock", "stage": "ga", "action_id_int": 97}, "S3.A98": {"action_description": "Allows Amazon S3 to replicate delete markers to the destination bucket.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC15", "feature_class_action_type": "other", "iam_permission": "s3:ReplicateDelete", "event_name": "-", "stage": "ga", "action_id_int": 98}, "S3.A99": {"action_description": "Allows Amazon S3 to replicate objects to the destination bucket, including tags.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC15", "feature_class_action_type": "other", "iam_permission": "s3:ReplicateObject", "event_name": "-", "stage": "ga", "action_id_int": 99}, "S3.A100": {"action_description": "Allows Amazon S3 to replicate object tags to the destination bucket.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC15", "feature_class_action_type": "other", "iam_permission": "s3:ReplicateTags", "event_name": "-", "stage": "ga", "action_id_int": 100}, "S3.A101": {"action_description": "Restores a temporary copy of an archived object.", "api": "RestoreObject", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:RestoreObject", "event_name": "RestoreObject", "stage": "ga", "action_id_int": 101}, "S3.A102": {"action_description": "Filters the contents of an Amazon S3 object based on a simple structured query language (SQL) statement.", "api": "SelectObjectContent", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:GetObject", "event_name": "SelectObjectContent", "stage": "ga", "action_id_int": 102}, "S3.A103": {"action_description": "Uploads a part in a multipart upload.", "api": "UploadPart", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:PutObject", "event_name": "UploadPart", "stage": "ga", "action_id_int": 103}, "S3.A104": {"action_description": "Uploads a part by copying data from an existing object as a data source.", "api": "UploadPartCopy", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:PutObject,s3:GetObject", "event_name": "UploadPartCopy", "stage": "ga", "action_id_int": 104}, "S3.A105": {"action_description": "Creates a new access point.", "api": "CreateAccessPoint", "endpoint": "s3-control", "feature_class": "S3.FC26", "feature_class_action_type": "core", "iam_permission": "s3:CreateAccessPoint", "event_name": "CreateAccessPoint", "stage": "ga", "action_id_int": 105}, "S3.A106": {"action_description": "Creates a new Amazon S3 Batch Operations job.", "api": "CreateJob", "endpoint": "s3-control", "feature_class": "S3.FC27", "feature_class_action_type": "core", "iam_permission": "s3:CreateJob", "event_name": "JobCreated", "stage": "ga", "action_id_int": 106}, "S3.A107": {"action_description": "Deletes the specified access point.", "api": "DeleteAccessPoint", "endpoint": "s3-control", "feature_class": "S3.FC26", "feature_class_action_type": "other", "iam_permission": "s3:DeleteAccessPoint", "event_name": "DeleteAccessPoint", "stage": "ga", "action_id_int": 107}, "S3.A108": {"action_description": "Deletes the policy on a specified access point.", "api": "DeleteAccessPointPolicy", "endpoint": "s3-control", "feature_class": "S3.FC26", "feature_class_action_type": "other", "iam_permission": "s3:DeleteAccessPointPolicy", "event_name": "DeleteAccessPointPolicy", "stage": "ga", "action_id_int": 108}, "S3.A109": {"action_description": "Removes the PublicAccessBlock configuration for an AWS account.", "api": "DeletePublicAccessBlock", "endpoint": "s3-control", "feature_class": "S3.FC25", "feature_class_action_type": "other", "iam_permission": "s3:PutAccountPublicAccessBlock", "event_name": "DeletePublicAccessBlock", "stage": "ga", "action_id_int": 109}, "S3.A110": {"action_description": "Retrieves the configuration parameters and status for a Batch Operations job.", "api": "DescribeJob", "endpoint": "s3-control", "feature_class": "S3.FC27", "feature_class_action_type": "other", "iam_permission": "s3:DescribeJob", "event_name": "DescribeJob", "stage": "ga", "action_id_int": 110}, "S3.A111": {"action_description": "Retrieves access point metadata.", "api": "GetAccessPoint", "endpoint": "s3-control", "feature_class": "S3.FC26", "feature_class_action_type": "other", "iam_permission": "s3:GetAccessPoint", "event_name": "GetAccessPoint", "stage": "ga", "action_id_int": 111}, "S3.A112": {"action_description": "Returns the policy of a specified access point.", "api": "GetAccessPointPolicy", "endpoint": "s3-control", "feature_class": "S3.FC26", "feature_class_action_type": "other", "iam_permission": "s3:GetAccessPointPolicy", "event_name": "GetAccessPointPolicy", "stage": "ga", "action_id_int": 112}, "S3.A113": {"action_description": "Retrieves the policy status for a specific access point's policy.", "api": "GetAccessPointPolicyStatus", "endpoint": "s3-control", "feature_class": "S3.FC26", "feature_class_action_type": "other", "iam_permission": "s3:GetAccessPointPolicyStatus", "event_name": "GetAccessPointPolicyStatus", "stage": "ga", "action_id_int": 113}, "S3.A114": {"action_description": "Retrieves the PublicAccessBlock configuration for an AWS account.", "api": "GetPublicAccessBlock", "endpoint": "s3-control", "feature_class": "S3.FC25", "feature_class_action_type": "other", "iam_permission": "s3:GetAccountPublicAccessBlock", "event_name": "GetPublicAccessBlock", "stage": "ga", "action_id_int": 114}, "S3.A115": {"action_description": "Returns a list of the access points currently associated with the specified bucket.", "api": "ListAccessPoints", "endpoint": "s3-control", "feature_class": "S3.FC26", "feature_class_action_type": "other", "iam_permission": "s3:ListAccessPoints", "event_name": "ListAccessPoints", "stage": "ga", "action_id_int": 115}, "S3.A116": {"action_description": "Lists current jobs and jobs that have ended recently.", "api": "ListJobs", "endpoint": "s3-control", "feature_class": "S3.FC27", "feature_class_action_type": "other", "iam_permission": "s3:ListJobs", "event_name": "ListJobs", "stage": "ga", "action_id_int": 116}, "S3.A117": {"action_description": "Adds to or replaces a data policy on an access point.", "api": "PutAccessPointPolicy", "endpoint": "s3-control", "feature_class": "S3.FC26", "feature_class_action_type": "other", "iam_permission": "s3:PutAccessPointPolicy", "event_name": "PutAccessPointPolicy", "stage": "ga", "action_id_int": 117}, "S3.A118": {"action_description": "Creates or modifies the PublicAccessBlock configuration for an AWS account.", "api": "PutPublicAccessBlock", "endpoint": "s3-control", "feature_class": "S3.FC25", "feature_class_action_type": "core", "iam_permission": "s3:PutAccountPublicAccessBlock", "event_name": "PutPublicAccessBlock", "stage": "ga", "action_id_int": 118}, "S3.A119": {"action_description": "Updates an existing job's priority.", "api": "UpdateJobPriority", "endpoint": "s3-control", "feature_class": "S3.FC27", "feature_class_action_type": "other", "iam_permission": "s3:UpdateJobPriority", "event_name": "UpdateJobPriority", "stage": "ga", "action_id_int": 119}, "S3.A120": {"action_description": "Updates the status for the specified job.", "api": "UpdateJobStatus", "endpoint": "s3-control", "feature_class": "S3.FC27", "feature_class_action_type": "other", "iam_permission": "s3:UpdateJobStatus", "event_name": "JobStatusChanged", "stage": "ga", "action_id_int": 120}, "S3.A121": {"action_description": "Removes OwnershipControls for an Amazon S3 bucket.", "api": "DeleteBucketOwnershipControls", "endpoint": "s3", "feature_class": "S3.FC30", "feature_class_action_type": "other", "iam_permission": "s3:PutBucketOwnershipControls", "event_name": "DeleteBucketOwnershipControls", "stage": "ga", "action_id_int": 121}, "S3.A122": {"action_description": "Retrieves OwnershipControls for an Amazon S3 bucket.", "api": "GetBucketOwnershipControls", "endpoint": "s3", "feature_class": "S3.FC30", "feature_class_action_type": "other", "iam_permission": "s3:GetBucketOwnershipControls", "event_name": "GetBucketOwnershipControls", "stage": "ga", "action_id_int": 122}, "S3.A123": {"action_description": "Creates or modifies OwnershipControls for an Amazon S3 bucket.", "api": "PutBucketOwnershipControls", "endpoint": "s3", "feature_class": "S3.FC30", "feature_class_action_type": "core", "iam_permission": "s3:PutBucketOwnershipControls", "event_name": "PutBucketOwnershipControls", "stage": "ga", "action_id_int": 123}, "S3.A124": {"action_description": "Deletes the S3 Intelligent-Tiering configuration from the specified bucket.", "api": "DeleteBucketIntelligentTieringConfiguration", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "other", "iam_permission": "s3:DeleteIntelligentTieringConfiguration", "event_name": "DeleteBucketIntelligentTieringConfiguration", "stage": "ga", "action_id_int": 124}, "S3.A125": {"action_description": "Gets the S3 Intelligent-Tiering configuration from the specified bucket.", "api": "GetBucketIntelligentTieringConfiguration", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "other", "iam_permission": "s3:GetIntelligentTieringConfiguration", "event_name": "GetBucketIntelligentTieringConfiguration", "stage": "ga", "action_id_int": 125}, "S3.A126": {"action_description": "Lists the S3 Intelligent-Tiering configuration from the specified bucket.", "api": "ListBucketIntelligentTieringConfigurations", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "other", "iam_permission": "s3:ListIntelligentTieringConfigurations", "event_name": "ListBucketIntelligentTieringConfigurations", "stage": "ga", "action_id_int": 126}, "S3.A127": {"action_description": "Puts a S3 Intelligent-Tiering configuration to the specified bucket.", "api": "PutBucketIntelligentTieringConfiguration", "endpoint": "s3", "feature_class": "S3.FC13", "feature_class_action_type": "core", "iam_permission": "s3:PutIntelligentTieringConfiguration", "event_name": "PutBucketIntelligentTieringConfiguration", "stage": "ga", "action_id_int": 127}, "S3.A128": {"action_description": "Deletes the Amazon S3 Storage Lens configuration.", "api": "DeleteStorageLensConfiguration", "endpoint": "s3-control", "feature_class": "S3.FC31", "feature_class_action_type": "other", "iam_permission": "s3:DeleteStorageLensConfiguration", "event_name": "DeleteStorageLensConfiguration", "stage": "ga", "action_id_int": 128}, "S3.A129": {"action_description": "Deletes the Amazon S3 Storage Lens configuration tags.", "api": "DeleteStorageLensConfigurationTagging", "endpoint": "s3-control", "feature_class": "S3.FC31", "feature_class_action_type": "other", "iam_permission": "s3:DeleteStorageLensConfigurationTagging", "event_name": "DeleteStorageLensConfigurationTagging", "stage": "ga", "action_id_int": 129}, "S3.A130": {"action_description": "Gets the Amazon S3 Storage Lens configuration.", "api": "GetStorageLensConfiguration", "endpoint": "s3-control", "feature_class": "S3.FC31", "feature_class_action_type": "other", "iam_permission": "s3:GetStorageLensConfiguration", "event_name": "GetStorageLensConfiguration", "stage": "ga", "action_id_int": 130}, "S3.A131": {"action_description": "Gets the tags of Amazon S3 Storage Lens configuration.", "api": "GetStorageLensConfiguratioTagging", "endpoint": "s3-control", "feature_class": "S3.FC31", "feature_class_action_type": "other", "iam_permission": "s3:GetStorageLensConfigurationTagging", "event_name": "GetStorageLensConfiguratioTagging", "stage": "ga", "action_id_int": 131}, "S3.A132": {"action_description": "Gets a list of Amazon S3 Storage Lens configurations.", "api": "ListStorageLensConfigurations", "endpoint": "s3-control", "feature_class": "S3.FC31", "feature_class_action_type": "other", "iam_permission": "s3:ListStorageLensConfigurations", "event_name": "ListStorageLensConfigurations", "stage": "ga", "action_id_int": 132}, "S3.A133": {"action_description": "Puts an Amazon S3 Storage Lens configuration.", "api": "PutStorageLensConfiguration", "endpoint": "s3-control", "feature_class": "S3.FC31", "feature_class_action_type": "core", "iam_permission": "s3:PutStorageLensConfiguration", "event_name": "PutStorageLensConfiguration", "stage": "ga", "action_id_int": 133}, "S3.A134": {"action_description": "Puts or replaces tags on an existing Amazon S3 Storage Lens configuration.", "api": "PutStorageLensConfigurationTagging", "endpoint": "s3-control", "feature_class": "S3.FC31", "feature_class_action_type": "other", "iam_permission": "s3:PutStorageLensConfigurationTagging", "event_name": "PutStorageLensConfigurationTagging", "stage": "ga", "action_id_int": 134}, "S3.A135": {"action_description": "Creates an Object Lambda access point.", "api": "CreateAccessPointForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "core", "iam_permission": "s3:CreateAccessPointForObjectLambda", "event_name": "CreateAccessPointForObjectLambda", "stage": "ga", "action_id_int": 135}, "S3.A136": {"action_description": "Deletes the specified Object Lambda access point.", "api": "DeleteAccessPointForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:DeleteAccessPointForObjectLambda", "event_name": "DeleteAccessPointForObjectLambda", "stage": "ga", "action_id_int": 136}, "S3.A137": {"action_description": "Removes the resource policy for an Object Lambda access point.", "api": "DeleteAccessPointPolicyForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:DeleteAccessPointPolicyForObjectLambda", "event_name": "DeleteAccessPointPolicyForObjectLambda", "stage": "ga", "action_id_int": 137}, "S3.A138": {"action_description": "Returns configuration for an Object Lambda access point.", "api": "GetAccessPointConfigurationForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:GetAccessPointConfigurationForObjectLambda", "event_name": "GetAccessPointConfigurationForObjectLambda", "stage": "ga", "action_id_int": 138}, "S3.A139": {"action_description": "Returns configuration information about the specified Object Lambda access point.", "api": "GetAccessPointForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:GetAccessPointForObjectLambda", "event_name": "GetAccessPointForObjectLambda", "stage": "ga", "action_id_int": 139}, "S3.A140": {"action_description": "Returns the resource policy for an Object Lambda access point.", "api": "GetAccessPointPolicyForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:GetAccessPointPolicyForObjectLambda", "event_name": "GetAccessPointPolicyForObjectLambda", "stage": "ga", "action_id_int": 140}, "S3.A141": {"action_description": "Returns the status of the resource policy associated with an Object Lambda access point.", "api": "GetAccessPointPolicyStatusForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:GetAccessPointPolicyStatusForObjectLambda", "event_name": "GetAccessPointPolicyStatusForObjectLambda", "stage": "ga", "action_id_int": 141}, "S3.A142": {"action_description": "Returns a list of the access points associated with the Object Lambda access point.", "api": "ListAccessPointsForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:ListAccessPointsForObjectLambda", "event_name": "ListAccessPointsForObjectLambda", "stage": "ga", "action_id_int": 142}, "S3.A143": {"action_description": "Replaces configuration for an Object Lambda access point.", "api": "PutAccessPointConfigurationForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:PutAccessPointConfigurationForObjectLambda", "event_name": "PutAccessPointConfigurationForObjectLambda", "stage": "ga", "action_id_int": 143}, "S3.A144": {"action_description": "Creates or replaces resource policy for an Object Lambda access point.", "api": "PutAccessPointPolicyForObjectLambda", "endpoint": "s3-control", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3:PutAccessPointPolicyForObjectLambda", "event_name": "PutAccessPointPolicyForObjectLambda", "stage": "ga", "action_id_int": 144}, "S3.A145": {"action_description": "Grants permission to abort a multipart upload.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:AbortMultipartUpload", "event_name": "-", "stage": "ga", "action_id_int": 145}, "S3.A146": {"action_description": "Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:DeleteObject", "event_name": "-", "stage": "ga", "action_id_int": 146}, "S3.A147": {"action_description": "Grants permission to use the tagging subresource to remove the entire tag set from the specified object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:DeleteObjectTagging", "event_name": "-", "stage": "ga", "action_id_int": 147}, "S3.A148": {"action_description": "Grants permission to retrieve objects from Amazon S3.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "core", "iam_permission": "s3-object-lambda:GetObject", "event_name": "-", "stage": "ga", "action_id_int": 148}, "S3.A149": {"action_description": "Grants permission to return the Access Control List (ACL) of an object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:GetObjectAcl", "event_name": "-", "stage": "ga", "action_id_int": 149}, "S3.A150": {"action_description": "Grants permission to get an object's current legal hold status.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:GetObjectLegalHold", "event_name": "-", "stage": "ga", "action_id_int": 150}, "S3.A151": {"action_description": "Grants permission to retrieve the retention settings for an object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:GetObjectRetention", "event_name": "-", "stage": "ga", "action_id_int": 151}, "S3.A152": {"action_description": "Grants permission to return the tag set of an object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:GetObjectTagging", "event_name": "-", "stage": "ga", "action_id_int": 152}, "S3.A153": {"action_description": "Grants permission to retrieve a specific version of an object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:GetObjectVersion", "event_name": "-", "stage": "ga", "action_id_int": 153}, "S3.A154": {"action_description": "Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000).", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:ListBucket", "event_name": "-", "stage": "ga", "action_id_int": 154}, "S3.A155": {"action_description": "Grants permission to list the parts that have been uploaded for a specific multipart upload.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:ListMultipartUploadParts", "event_name": "-", "stage": "ga", "action_id_int": 155}, "S3.A156": {"action_description": "Grants permission to add an object to a bucket.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "core", "iam_permission": "s3-object-lambda:PutObject", "event_name": "-", "stage": "ga", "action_id_int": 156}, "S3.A157": {"action_description": "Grants permission to set the Access Control List (ACL) permissions for new or existing objects in an S3 bucket.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:PutObjectAcl", "event_name": "-", "stage": "ga", "action_id_int": 157}, "S3.A158": {"action_description": "Grants permission to apply a legal hold configuration to the specified object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:PutObjectLegalHold", "event_name": "-", "stage": "ga", "action_id_int": 158}, "S3.A159": {"action_description": "Grants permission to place an object retention configuration on an object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:PutObjectRetention", "event_name": "-", "stage": "ga", "action_id_int": 159}, "S3.A160": {"action_description": "Grants permission to set the supplied tag-set to an object that already exists in a bucket.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:PutObjectTagging", "event_name": "-", "stage": "ga", "action_id_int": 160}, "S3.A161": {"action_description": "Grants permission to restore an archived copy of an object back into Amazon S3.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:RestoreObject", "event_name": "-", "stage": "ga", "action_id_int": 161}, "S3.A162": {"action_description": "Passes transformed objects to a GetObject operation when using Object Lambda access points.", "api": "WriteGetObjectResponse", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:WriteGetObjectResponse", "event_name": "WriteGetObjectResponse", "stage": "ga", "action_id_int": 162}, "S3.A163": {"action_description": "Grants permission to remove a specific version of an object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:DeleteObjectVersion", "event_name": "-", "stage": "ga", "action_id_int": 163}, "S3.A164": {"action_description": "Grants permission to remove the entire tag set for a specific version of the object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:DeleteObjectVersionTagging", "event_name": "-", "stage": "ga", "action_id_int": 164}, "S3.A165": {"action_description": "Grants permission to return the Access Control List (ACL) of a specific object version.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:GetObjectVersionAcl", "event_name": "-", "stage": "ga", "action_id_int": 165}, "S3.A166": {"action_description": "Grants permission to return the tag set for a specific version of the object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:GetObjectVersionTagging", "event_name": "-", "stage": "ga", "action_id_int": 166}, "S3.A167": {"action_description": "Grants permission to list in-progress multipart uploads.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:ListBucketMultipartUploads", "event_name": "-", "stage": "ga", "action_id_int": 167}, "S3.A168": {"action_description": "Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:ListBucketVersions", "event_name": "-", "stage": "ga", "action_id_int": 168}, "S3.A169": {"action_description": "Grants permission to use the ACL subresource to set the Access Control List (ACL) permissions for an object that already exists in a bucket.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:PutObjectVersionAcl", "event_name": "-", "stage": "ga", "action_id_int": 169}, "S3.A170": {"action_description": "Grants permission to set the supplied tag-set for a specific version of an object.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC32", "feature_class_action_type": "other", "iam_permission": "s3-object-lambda:PutObjectVersionTagging", "event_name": "-", "stage": "ga", "action_id_int": 170}, "S3.A171": {"action_description": "Returns configuration information about the specified Multi-Region Access Point.", "api": "GetMultiRegionAccessPoint", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "other", "iam_permission": "s3:GetMultiRegionAccessPoint", "event_name": "GetMultiRegionAccessPoint", "stage": "ga", "action_id_int": 171}, "S3.A172": {"action_description": "Indicates whether the specified Multi-Region Access Point has an access control policy that allows public access.", "api": "GetMultiRegionAccessPointPolicyStatus", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "other", "iam_permission": "s3:GetMultiRegionAccessPointPolicyStatus", "event_name": "GetMultiRegionAccessPointPolicyStatus", "stage": "ga", "action_id_int": 172}, "S3.A173": {"action_description": "Creates a Multi-Region Access Point and associates it with the specified buckets.", "api": "CreateMultiRegionAccessPoint", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "core", "iam_permission": "s3:CreateMultiRegionAccessPoint", "event_name": "CreateMultiRegionAccessPoint", "stage": "ga", "action_id_int": 173}, "S3.A174": {"action_description": "Retrieves the status of an asynchronous request to manage a Multi-Region Access Point.", "api": "DescribeMultiRegionAccessPointOperation", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "other", "iam_permission": "s3:DescribeMultiRegionAccessPointOperation", "event_name": "DescribeMultiRegionAccessPointOperation", "stage": "ga", "action_id_int": 174}, "S3.A175": {"action_description": "Deletes a Multi-Region Access Point. This action does not delete the buckets associated with the Multi-Region Access Point, only the Multi-Region Access Point itself.", "api": "DeleteMultiRegionAccessPoint", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "other", "iam_permission": "s3:DeleteMultiRegionAccessPoint", "event_name": "DeleteMultiRegionAccessPoint", "stage": "ga", "action_id_int": 175}, "S3.A176": {"action_description": "Returns a list of the Multi-Region Access Points currently associated with the specified AWS account.", "api": "ListMultiRegionAccessPoints", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "other", "iam_permission": "s3:ListMultiRegionAccessPoints", "event_name": "ListMultiRegionAccessPoints", "stage": "ga", "action_id_int": 176}, "S3.A177": {"action_description": "Returns the access control policy of the specified Multi-Region Access Point.", "api": "GetMultiRegionAccessPointPolicy", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "other", "iam_permission": "s3:GetMultiRegionAccessPointPolicy", "event_name": "GetMultiRegionAccessPointPolicy", "stage": "ga", "action_id_int": 177}, "S3.A178": {"action_description": "Associates an access control policy with the specified Multi-Region Access Point.", "api": "PutMultiRegionAccessPointPolicy", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "other", "iam_permission": "s3:PutMultiRegionAccessPointPolicy", "event_name": "PutMultiRegionAccessPointPolicy", "stage": "ga", "action_id_int": 178}, "S3.A179": {"action_description": "Remove tags from an existing Amazon S3 Batch Operations job.", "api": "DeleteJobTagging", "endpoint": "s3", "feature_class": "S3.FC27", "feature_class_action_type": "other", "iam_permission": "s3:DeleteJobTagging", "event_name": "DeleteJobTagging", "stage": "ga", "action_id_int": 179}, "S3.A180": {"action_description": "Return the tag set of an existing Amazon S3 Batch Operations job.", "api": "GetJobTagging", "endpoint": "s3", "feature_class": "S3.FC27", "feature_class_action_type": "other", "iam_permission": "s3:GetJobTagging", "event_name": "GetJobTagging", "stage": "ga", "action_id_int": 180}, "S3.A181": {"action_description": "Get an Amazon S3 Storage Lens dashboard.", "api": "GetStorageLensDashboard", "endpoint": "s3-control", "feature_class": "S3.FC31", "feature_class_action_type": "other", "iam_permission": "s3:GetStorageLensDashboard", "event_name": "GetStorageLensDashboardDataInternal", "stage": "ga", "action_id_int": 181}, "S3.A182": {"action_description": "Replace tags on an existing Amazon S3 Batch Operations job.", "api": "PutJobTagging", "endpoint": "s3", "feature_class": "S3.FC27", "feature_class_action_type": "other", "iam_permission": "s3:PutJobTagging", "event_name": "PutJobTagging", "stage": "ga", "action_id_int": 182}, "S3.A183": {"action_description": "Associate Public Access Block configurations with a specified access point, while creating a access point.", "api": "PutAccessPointPublicAccessBlock", "endpoint": "s3", "feature_class": "S3.FC26", "feature_class_action_type": "other", "iam_permission": "s3:PutAccessPointPublicAccessBlock", "event_name": "PutAccessPointPublicAccessBlock", "stage": "ga", "action_id_int": 183}, "S3.A184": {"action_description": "Initiate the replication process by setting replication status of an object to pending.", "api": "-", "endpoint": "s3", "feature_class": "S3.FC27", "feature_class_action_type": "other", "iam_permission": "s3:InitiateReplication", "event_name": "-", "stage": "ga", "action_id_int": 184}, "S3.A185": {"action_description": "Retrieves all the metadata from an object without returning the object itself. This action is useful if you're interested only in an object's metadata.", "api": "GetObjectAttributes", "endpoint": "s3", "feature_class": "S3.FC1", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectAttributes,s3:GetObject", "event_name": "GetObjectAttributes", "stage": "ga", "action_id_int": 185}, "S3.A186": {"action_description": "Retrieves all the metadata from a versioned object without returning the object itself. This action is useful if you're interested only in an object's metadata.", "api": "GetObjectAttributes(VersionId=)", "endpoint": "s3", "feature_class": "S3.FC9", "feature_class_action_type": "other", "iam_permission": "s3:GetObjectVersionAttributes,s3:GetObjectVersion", "event_name": "GetObjectAttributes", "stage": "ga", "action_id_int": 186}, "S3.A187": {"action_description": "Return the route configuration for a Multi-Region Access Point.", "api": "GetMultiRegionAccessPointRoutes", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "other", "iam_permission": "s3:GetMultiRegionAccessPointRoutes", "event_name": "TODO", "stage": "ga", "action_id_int": 187}, "S3.A188": {"action_description": "Submit a route configuration update for a Multi-Region Access Point.", "api": "SubmitMultiRegionAccessPointRoutes", "endpoint": "s3-control", "feature_class": "S3.FC33", "feature_class_action_type": "core", "iam_permission": "s3:SubmitMultiRegionAccessPointRoutes", "event_name": "TODO", "stage": "ga", "action_id_int": 188}}, "dfd": {"body": "PG14ZmlsZSBhZ2VudD0iNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIGRyYXcuaW8vMjAuMy4wIENocm9tZS8xMDQuMC41MTEyLjExNCBFbGVjdHJvbi8yMC4xLjMgU2FmYXJpLzUzNy4zNiIgY29tcHJlc3NlZD0idHJ1ZSIgZXRhZz0iYV9EMHZvOXJCano0eVlaV1pjVFQiIGhvc3Q9IkVsZWN0cm9uIiBtb2RpZmllZD0iMjAyMy0wOS0wNFQwODozOTowNy42ODBaIiB2ZXJzaW9uPSIyMC4zLjAiIHR5cGU9ImRldmljZSI+PGRpYWdyYW0gaWQ9IncyUENJempfLW1VdjVOUDc0bnRUIiBuYW1lPSJQYWdlLTEiPjdWMVpkNXU2RnY0MWViU0xFT05qNXFaTmI5STZiZHJ6a2tWczdORFl4c1U0aWZ2cnJ3UmlrZ1FJRERaTzNYTldpd0dKU1h2ZSs5dEg4SFQyZHVsWmk2Y3Y3c2llSHNuUzZPMEluaDNKc2d3QVJQL2dQZXR3ajZIcDRZNko1NHpDWFNEWk1YRCsybVNuUlBhdW5KRzl6SnpvdSs3VWR4YlpuVU4zUHJlSGZtYWY1WG51YS9hMHNUdk5YblZoVFd4bXgyQm9UZG05OTg3SWZ5SlBJZXZKL28rMk0zbUtyZ3cwTXp3eXM2S1R5Wk1zbjZ5Uis1cmFCYytQNEtubnVuNjROWHM3dGFmNDVVWHZoWXo3a0hNNHZqUFBudnU4RWU3amIveEcwRVBibHIveTdJZmgxRnFTMXhHZU9MVWUwZWRLN2ZDZlBIUnV1T2ZpRkR6Y3FVZnlhYkNoUlJ0R3RHRkdHMENPdHZBOWhWc3czdExJVFVXM2ZYOXo5ZmtMV0VtOXRhZmV2cjFPSCtGZzNGUGk5eEUvNXRKZlI5L0FubytPOGFkRXZ4Nm43dkQ1Q0o2Z1hSZk9GTjg3UUw4OGR6VWYyU1B5NjhtZlJRZCsyNzYvSm92S1d2a3UydVY2L3BNN2NlZlc5TnAxRitTODRFV2NXTVBuU1REVnFUdDF2ZURhOENMNGc2ODRRdXVDM0ZNeXgzbThsL2tZNVBzczNaVTNKQSt5aHQ1cUF0N3NtOXVyeS9Ydlo4czlsNzcwb2xkdmVST2JERFZ2WDVlVDJjMHorT2pyMmowY3ZYajJlUThvNFluNFJsSlhJRy90MG5abnR1K3QwUW1lUGJWODV5VzdnQzN5NFNmeGVmSFFXOWVaNDJWQ2FGWXp5QjBSaXBWTktUdEZlS2RrVkdxOW9XOWtyVlBuTGZBWnkvd0xBVW1YTWxjeUZhbFBML3F5TVJDVWp0R1VqWWNBU0EvNUVENHRmN2h1VWc4R3FWY1lMZ3IyRlg1SWZjaG9SMEFQNFE5QzBhWFVmWEVLQS9KVGdyOEpvUktLRFBjQlBmd25wR1pDdDNKSXlISTRXQTdIUWNEd2ltLzJ4SEhuYU44eGwydElEeGFtWURSV1Jjd2h2QTdhQ2ljM0h1NlVpRFdVTWhjOEh0QnNSa09iTUQ2c0pEdlY2QUprQ3grT1p5WVByS010ZzJKWCtON0kzQkJ0eG5jbGEvSGhjTENNcmlJYjhRWGwrQ2J4NTgzd1BSbHR4ZmNJNHdlRzhZMUJjbU1TMnRUam5mR0VTamloakE0cjVBV2dLUlh5ZmRCREtQR2NTamdueE1makcxYkNPZEZOS2tiOEFSUXpla0VxdVY4VGJaSWJWdEFtbVI2ZHFzTDRnZFh3U2hDOUdsVk5Oc05MeVhneVBabk1TRFpqOGFCSjhWeGtFMTFBQTFtcGNIazh0T2QvWHFiLy9YNnkvejcrZG43Y0R4ZTlESU5qeGNMWW5mc3BUZzBVL2Z6a09Ndi9rY3hkNExObmJ4T3NudlN0MTZYU3h6d2VNZjRUd3AvUVlQVUUvWS92VFRwUzBWU24rRmMvV0FqcEhmUnZQYnNEc0wvd0hOa2Q5Rzg5dXdQUTB3UHErb0Mrd2RRTzVsZG1lb202dnBTNlFmUS9QTUd2TXhKd0VuNTNDMnZvekNmWDloaVROc1M3WG16UGQ1QnVkRHgxSm5PMDA4Y0M5T1QxeWZIdEFUb2JqM3hGN3hudFE2OTc1TmpKOTVtN2N6dTZSaWlPRVRuRGs1RzFmQXJrTnA3ZElyTk9neXVldUN0LzZzenQwMWl4dytlTWtkQ241cHg0VjBqNTQzN2tCeS9rVk9oaGZNOTl0dG5Wa2llMThaUGFiMGRGWXBZY1ZXbUJGQ2s4cjRtNnFFYmE3Rk5LVlRSb3Vab1d6V21KVUVNQWNOUTdiZXFISDNXZW9TTHR6d29yb01HWDZZMnRtVE5GejRIZWkvVFJucjdZK0d1amc0SGlqSTR2ZzArSGp3SnA4WlkrRU02SGo4eGRiMlpOVThkZXlUUGpnNG9raFVlbVNER3p2UjVaWSt4STlQTDlIbGtRK0JqaUR1ajgxREVIS1h4ek1tdDhMOEVSMzdQbXl6R2FLNW8xV0NYNGc3amVLSHZGZU9CanJQcjFodUVhd1llOXllTVJVdlVEdG9kK1pqZE04b2hUMS9McEs0MmM1V0pxa1JmcHpQRXlUdDQwMnByZ2YyK0M3OWNMdERWRUEwaWEzbDVGbitsRCtKM0NFemRReldXS3pYSVZTOHhIaXJYdmxLcWRwbUNwU1BYbUtPMi9WN05GeEdISXk5cWlnazZ1VCs2OWZYMDlvc0pTZlowd0VzU3RaU3l0MDJvbjRSRFZOUHF1NnVHR3R2RVFSTEpDZW5qMDZPNTR2TFQ5NG12VVZ0Ylpsd0wwck9sazBGUGxtVTc3b2ZjZjN3OGlCdlhvUmR6cGVEaEVGT2tmcklITnJZR0RDY0NZQUZxaGFEcG8rbnVqNlZQR0d2cnZBbi9XUXUwZGJTTHU1cTVHaUlYNGRhd0ZSdXVQTDh2WUVac2JBZ3J0WmxKWVEwQlRPWWFBS1cvUkVNQTZDMUpRN2FHM1h2aklOdnBnejZOTnRQL1pSaGMxbGxpN1pSaTlNMFluREFibnZjOWZCbHhPSDNQMWlOT2txVnN5M3A3aHIvRlArVUZTMW91L2w5K0gwbFd2Mkw3bmFKQlZ0TStVMHJwYnhWTkUwK1Q3UDNSVzFmenBUQjM3cXoxYlR6OU80ZkhvKzgzM0w3OTdhalZOczRlVUtBMkFpcnBsdkxDbDFPU1VCbVNDTEEwQVRWQUJxcXF6bWxMMlFxcFd5VUZyU21ZZmFNa2ZQVE9acGxmV0FBc1V6b1owTzRhU1BYc3hSU3phdDZzVDQrSnVkalA1UHY1a0RZelBmMjlWNFAyeTducWdNaldLQm1IZUQvWHhBek93TXZucEpzeGFDcjJxMUpoakwrblpsUXpCbHVoUEtUY1p5NGNVa3F5aEdIMDErOUkwbXJ0MGtrNTU1TWxScGRQMGVUeXovcnViVy9iUHI2UHYzMWY2ZC9PL25yMDlZZGt0MnVRS1BJNFA1b2YyZGU2Y20vTTM3ZXg1TkoyK2dZSDh1YWRWcGt5Z2FMQUZ3YWpJMmNXdlYxKzZPZTRLbmRZZTgwaGNpQWlxOGdIRm9PNUdMZVVEOUJDMTBLZlRGbFhPWGQ4WnIzbTBHVm5jYVlLOFdrelBWcjgvV3IrazYvOUdKMmUzMXMyUGorRWlmUDlKQzhMQ2tmdVNRRFVLbFBxYWJKZ3RFQ0NRS2RWVUUwMXJZQVdaYlBRVktma0RpdWZObyt6S0lwY2lmTTNZMkJmYW1Oc1JtQXlCTFZiKzBhbDhkQ3d0YlE4WjBXbDdNaS84UklXWG1JaUpOUnphNkpyb011NWt5U1BkbERlTDQ0c3ExWUJsc3lXS3BpWHh2bEk0OTYxRlBtNXhFb2NRWkJXNWVuRU9sa0lVMkZlenNrWFVBYytxbTVTdXljelVHRmtyWldSZE9rUXh1OE1KR2dwQTBEcDB3RW5RdnBZMlRsYkQ1OEF4dGx3OTlqdzcvTFpjRmxNVXhFZ0NGSnZGSXBBQ0lzZHVjdkp1Tmd4RzhFSVEzRFNrWU5Pb0dJN29hT1NoT043d3BNM01lL050L1VPNU9QNXEvL2xrUFdCbVZpZ0JhTWM1MzB1ZXo3WEh3UitlWTFvOTFrNE5MZTNqanVRRzc2UVd2TmM2ellZaWZwZnlYc1BJMUVoN3I0RkNNY1kydmRjL2JrKzVjcjlxb25MRWhmZ3B5ekNlVEVtbXBkS1lyOWJYWis3S2ZRQlA3dnp0azJ4ckEvZTZaUFVjb2xXMW8xVXBJamcrUHRGUGpFMmpWalFsQzBheDJJQ1NZaGlJMDFPeHFhS2cxc3RpV0RmWGJYTXFWeW5iMjFSWktsZE1EcFV6U2VEdEpxdTFUdUtFc0V0bERJZnk4NU9DL2tXNVFXZkttenk1b2ZEa0J1MmFibkJGeGFva0w0bGxqdTgrU0dXUmt0eVZJOWx3NXNQK1VaREZZbklYWUt6dnBYU3QwdXlNbEdZa0hvZ3Byb1k1aUpHOVNYcm9TbkpEWHZyRjV1UVBBSnNIeU5DL3pOTWJOV2szOUY5U3ZMSTlLaS9PdWowVU4rdzk5YitENGdZQUtJV1JsOVFrU3h6eVZ1a0FWNXNLSTNxTk9QVWY3UndHNVEyUHhJMmN5VTNGbWZzdTlqNlBuUEhZRGw1S1ZnUGdLcDBnY1l2SWNWNW5wRkdXcEgwUy8wU3AyYWpvRFdpUHZJWGFQWFdSQ29OQ2p2MEJlY3RKcHQydmpTOG5aL21BWHVSRFNKK3BaMHVyampQcmJ5QTZCcEJkTFVHV2MvcFRjNzNxeFVIOERNZUlQdk0xdm9GYmQra0VPWHJ3N05IMWZYZVc1VGQ0MHB4MXdheUIySmhJcnl0QWZXNnNJK2c2QUJyREs5VVVBenh6UFBSV3c5dWE0K2hEVmtEeGxxUzFYSVFNYit5ODRVZWxGMThZVXN1VGJwRnJObVNLRENNK3d0Vlh4eERxS1lZYlZ3NXhXUzZha01kZ2x6Q3l4MUl2bnN6VWdCVk9GelV3TktCelNJQk9TbXRVWHlJTWplZzdZaVo1c1Q4NzY4V0d5WllTSHk1eU9TZU80clJMT1BINGlpYVFtNlhGVFExa3RWbmVNS2EwQ0NXaVNpU2Zvb0dMQ3h5dmJpYit4MkVBTVlsVnJvZmlPejFKa2swNlVGZ1lVV3did0VEVkFCVUdORVJ6WlBLRGQwWDVMTmxJb1daUUY5dFNzVC94Z1pGNEVDZUdsaFBOS2lEY1ZOQ3BMRmhFb2oybDlLZ1crOGovdmF3Wi9vbkdka2pGalBJaTh0WnVZL21pN0lYYVQvcUt4Qm9uSmsyb0JPUVJTMWljRzBXSmNVM3ZEOXRiQm80RFVoNnhJVEZGY2R0TVhMWUpBZ3VYam9qM2tGZWlJeEFURVZFenlha1pmVmFBOEJqbGtLdXpsU3JHak9xWHE5bnlkTXhvZGVWcXBzRmF0NzN6Rnp2MHNPVExUbkdWMEtSMFFwMmpGUEs4YU5zc0hYcHhMRXdIdDZjMld4dzBzWHo3MWVMbVV4SmlTQzljYnVpOTJBak9MK2dKbGE5S2RlanZvdWk4VUJscldIQlVaZmR4dHBSNFJUazlSRFM5TVNkL29YNFZONHlXZnFROGlzckViUllROEdSTk9nZUlNYWxLeVEra2syZmJOWlM2VFgvY3Q2T0lLbTVic25FTWlUSTZhTzlBVTRxYklWVWh5MjJTUUhGR2dHZ2lnRkJlVDJzK2hHN1pMTnhuajFUZE1zbXpKWXRGTTJGbVBRS214RlM4a2thVytvWUtGUTJvME1CL1p5ZVcxTFpzSVNxbUFvQmNEb1NpTmpCR0tpL08wYVhTTVR1azk4STBIeUZLTHNhVDJBdEt6dmZvMWFaeFhqSFBEbW5jMERScXNkT2sySGthMzJ2YUM0MjdrZk1TV1hkWHgxL3daNS83eU5UR2FmRUVwQ3gxQm1mUTJFUEdPSHBqYzlkL3dtR1RKTmJLRzE2ZDNtdG42WlpFV3lsZlFaUlU4dzRjSjF4M3gyb1p1RWhxT0ZXMjZCNHhJQzMrT0hrSXZDekRiU2FuQ3hDT1ZJMTJNdmtMUWdQRFBNYnBhb1F4RG1WcFlIc3ZEbUw5aUNXN1V6dU42eUpBZlExbzE3VnB0TGdTN3gzVGFIVTZ6S1hxNWJaOW1OcGVFR2wxU1ZOeDdZYkZqUWNsazM0dFVkSk1SN1RNWGFtR0pkYzlHSU0weWY3UG5mZkNmUDFBVjltbXFnaEs2Z0VQY3FpRGNvaFp0dDJVUXlXQTNBd090UlNtc0NiL1JBalVOSEwzMHdHNVd3UzVtd2ZTellYMEZrTHVUcXhpQWVqdVZNQkdWUVRZa0Z6cXRtb0JvWHNmWWpXaXNkS2ltRTRWY0NneTlTYklORlhWQlkzT0RCQ1EydzBNWWJDNUd3RGFiaXhFcTVsRzMwejl5YUttRzZLZ2syMHBMSFE1UW1pUll5dWNKRkRnVlRjZkxjSWJ3cjhlN2VBMGNzWXl0dHA5MjVyRlF4QkhzL3NUWEtPSUxyQjBjVkRINUExSE5PUFBBNDliTUM2dWUwaWRGZnpsKzRoY2svTTRuQ29CMTA3QldLUTBxMno5QTVQWW13R1FvTE4xK2VrTHhhYlRPNjZFVUUxV1I1RTFqcExDUURydTJLVkZad0kxN09FcWtwOVpLSk9LSysyZzJlK2ZaZzhvTjdET0tUYmZ2V0xQTHRtTkZtcFo4Z0Y2anJNMzhtMDVLbDJCK29kRy9rd0c3Z1lDbE56SEwzd2ZmYlhBNzBST1BGc0hkMXpiQ3dVNVhxZ2lpTkcydlZCeXRHS3FWZyt3TTJrbE0zVWhiNDNIdkRmVEdFclRSaGxuNjV2amsxVzBDU1l1bmlaWnRWenl3S2Y4YkpSVThLMi9DUk9BS0hUdU5qTkptMXUyTzRDcTdWVHlXd2tkaVZGUGNiSEFYb1FxNm9zQzBkUzJ6cFBDRGozdm01dUlZZ3YxRUJEZWYzVmQ0N1RHM0wyNjNtaTJFNVhybERPNk5YNnVGT01MSE1oa0g4akU0TlIrZFlwTUJQQzdaUjUrZHpRSlBobWROSXpmYjNKaW5HVkFqdzNGRU1sbldrYUZtWVM0d2drRi9VKzd1UHRlOERXUjdyTENRME1HYzRScmRRb2VRQ1F5V0hESnlGV01JY1l1UERmeU5BZS83enpMbVpMZjkraXY2d0JQUGNrTnk0YXdPdncrMHkrVFBQQWREaUlPUFFkN3UvRURYcmllUGJTVzVQRnRINFA4bWZ1emNnb2NyT1gzWGlSbjJrVTBLb1l3Rk1GMnFTQ1QrTUtIQXc2alNxcWhRWjZUS1FiRnFTcWRLSkVLenBFU2Y4NFROeldsRmkzOGlxQjM4b1JXRHNqTnhKN2JualZ0UW9KUjBVTm9IQ1JZbVFURG8yY0xaQzQrWWhzMjRtWnhpNHZJbTdFL2ZNcHcrbllpY1hCR1NOaFVFck5kREpnVlN4OGlqZjVoSnN5dzNuS0dXcHdCY21Dbzc1dWhLcHpvOE80WmFtdG1iQW1HeWZ0MlMwYTl4eHFMVU1WOWR4UlpJc25HamJiV2ttVzFiMktFSDZocGFPVm1mWmg2OVY2cVVaS1BucDNKYUNzaFc2WjZjUnJsWUJYMEVEYVdzS3NPUEJYSmxJdlNKNjdtdDlVd2F5L29sSU1Kc2R2d0FkVWd6aFR0Y0ZlVllDQkY0d3JUd2JGMHlLNGlhYTBsWFg4OEpGMTNPdW1hOExsU2xxWVdlOUFiVExYZUJ4YkhnZlpzUWhYcFNYMnRGVTJFNG9BQWlQYi9xOHdDS1orOXl1UkxsdzRSMVJtaWQwYTltemFiK01rS1FkNFYwaWFpUmdocDJ1SzJQR2hOVy9nSG9YajVQU1VrbGw2NUoyNExyRWVua1hnVnV1dEhtMGk4ek1WYVIrSXRJaHdtWkl5ZFlqaVZIeTBLVEFxM3E4ZXBNMFFiNTNGcGdHakovOGU3dTlzUGd3clYvY0lrVzRJSzErbkFNZVZKVW8raGRLTHlYRUFOQlpUWjJIQkZkUHVrSm1SakI1SktlK1E3NkVDNm11TTM1VWFUVXdvYmFiUlR2a0xmQWFTVENNUGZyRWt6RU1VbFRKbzA2NmJlZ29wbUtqb2xFdlQ2UFpvMWVpN2g3T21xK2w1U1F5emVwcGtabzhMeU1WRGFmSXpTWlc4VUk3L3U3VWZFWE8zYWdxOEtxQTAvVzVFRXZjdFp6UjVEYXgrRVlZcW1PaG1lemxtdUZkZW9YS3l3dlJ0eFdFQ2dYWUxwbGMweUNkV1VSMEtqazIzTG5iTE1rR3FRMjZvSnNtUkYwMHZMNXBZNERkVm4rWEtwTy9COWtKTndnVVFoM2JYZTJZZUtJakFycmpIM0hzaGVTRURiWTRZdzlGZElUTElxcDRPb1FOZXpzOUZWMzEyaExURXFrdjloS3VMRkNmOFJLbW9nVGxpUmlwUXMyVEFoMEcyVHpjbHErSXhOSzNRYjB0ejFuVEhTb3NPME9MSWVsanpDaWhvT2x4SldHWXJCTzhMTEFESnRHWE8wZUlPanhjdmJCTXdJdmpIWG9TWCtUWXR6cDk4TnM5ek1vUlhWOFlzN3RIUVk5Y3hvMUtFRlpFV21neHlpbVVvY2w1RXNGMC9WbkVOTEwxUCs2NHpwaktOcDhML0JabFJZMHA0OTYwNDVPUVZRemUwb3RvVkUzQXVvNE9oWGs0bTRiWG1HaWhKdTg5cnh6dk5yOHBxUUxMUWR6RzF5enBFc1d4UXNnNjhicnVmaU1NbGhQVzkxUGYvWjducm1ZWXZ0ZUQxZlc3UEhrYlhaa2k2R2Z1R3RLdDA0bDVSdExldjhwWnV6TEtiaE82bXh0SnVwamFDWXdKbWs0a2FwamRSTXRMQ3E5UTV5NllKVkxacHhVUUxKY2xqVjcydFYwN0ZicUxLcmV0ZXhxYXY1Qy9ya0c2M3F5a2thVlZKcmQ0TmNKMkxqRmlYZmxadTRvdjdBMk1RRklHb1IzYXlKQytpOFdxVit6Z2FrY3phQVFuUG84aEtoQW9PeWNqYytLa2xEd0VsSkQ0SDZMb29aaHBnUWNkb0VnWjVaTFh1djl0S1BBZDVTaEpvbDBBdHA4WHc5L0RJNWRaN202L252enhlTDhkZmVPNGh6Wlh5VFRWTG5EKzNyM0RrMzUyL2EyZk5vT24wREEvbHpyeHVObHVsZUI0cTVoYVY0Y1JvR1ZNTmsxN0E3VkFnYVFXQWtJdTVRa3Y4YXcxemZoVERYWVlWOEFnbWNBcnltYXNwek1uNllTMkNja0FEN0dtOWMyeE9rSE14Q29zbS9WbENXUDErbmdMTXpvTnJ4cFN0REhtZHU1dnNjVWNPVDZ5SEtHUEZ2SjhIbkZyNGtLNkNCK25Bbnh5Z2UwUWJiMlN0dWxSSzMrRExqVWtBUWw2cVQzaXBJNkFNak9SeTNYcEVUbEJBWkpwc0tCMFVFaGpQSmFBdlNWY0s0VFF2WmllNWVpYWZYcExockF0Mjh4Yng5WFU1bU44L2dvNjlyOTNEMDR0bm5KU3d0eGFPNGVqUG1RMWpmSlJTSXhxZ242SDk4RDlLUmVvYVhCL3JWeDZuZW1SMzBiejI3QTdDLzhCelpIZlJ2UGJzRDBOTUQ2dnFBdnNIVUR1WlhabnFKdXI2VXVrSDBQMnNra0FLeGEzdU0xeHlzRm1YS1NZUGpHU1k4MkxLSng2M0N4eC91QVcwaWxvVzR4b01WMG1IYStJZ3NpMmx3MXpuTkVtazdKNzVzQzhFdGpXNEp6REVDdUxZdFhWM2RvQmxRaDh0L1F5dzJDRzRlSDVoUmxobkpoY3lJV3VGQTBjOVBqck9LMUlGSmRadEpWV1l3REJzcFptaGVTRm9jeGtSV3krWmNpRlltZFpZTHhYVWtXUS9iRnAwUjc2YTVpZ0FMNURJOEx1L0tOTGtUWWtqL1R1WUlwS0xXUEw4eHo4VW0wOGxET3hhdWNTN1JjdlhZaTl5NjNQeWgvUkcwRFVuWDRwU1ptbzd0blM5Y2crTEhuSVFuYnNZVG9IUE1kOXJJa0FlRklZVHVJQTd1a0Zya3VzQnFLZXVvc29mTzZNMzY5WExmRWdmN2dhL1p5b0tlc05oTnJjSW9lNnNaTjNVMzZ0Z28yUEFNUW5GNkJSZDB2aXJIM1MxZS9DeGpaM1NHNm9wQ3BjU1JBNlE0WTZQdEFsSmNvV0xsWUY4cTNwcFRWN2lhU1lZT2hGWi85ZlpDQjh5U1NtSUdjTW9qK0NlS1p2eHUyaGRlbzBGTG9HaTBzN0g0Q3JFQlVtWUJONlJTbFlBVUtMRGkveEZNdjhJMVZyNFlwZTBzUnROa3d1VmJYNHhwUzdYTVJ2MkYzakRhY3hOTmVDU2ZoSUpyR2ZpRmpTVTNtaFY0VUc1ZTUraTBKMmZSbTZEM05VL05VbW1aTThabGVaeW91R1Q2bjlSa2FMVk8xd0hJelFlT2x0SldWUnlURHBud3JPTWRwd00ybzYrTEJUdUxBd3g3d2JaM2FNUkdXc2lPMHpsVXFnT2NYSjZNUkE4QkRHQk1ZY1drb3B1WnVtT1ZVbjFxdHlOVkplcStSTkZvdDJpeWJ4TnliWHVtVFRZc0lNWTlpaDJvblJhQi96S3lEWk0zd0VzYzZLYWRyK2F2N3pvTHVMSlB0M3ZpcjdhUWkwN2NsWlJyanZkdkxDK1pUTndONWVXV1Vma0xpRUtZRXY0UlBFVCt3M01RYS9hVEVuWUdnYitWY0IyenppT1dYNzY4U3gyeTd4T2ZmVFBHSHkwRThSZ2RNZ2FJN2RSb0tZa0tRVi9TVW4reTdMc3RKQnBOenVwSkFuS0NHU0tJUkxPRFlLUkFtKzR5MFZJeEpnZ083YmpmUVZDd2s4WkNWOXB4QzlzbkZVbW5CRkh3UURyN1FEcHlCNnQwaCtSbDg1Y3p2OStYRXU5TU92UkJNODY5VThQakVLSk5OZG5Vb2xQcFpuNzV2V0Z5MXp1OUttZk9hQlM0Z3VsVlhaNXJTaTllY01STnNtNnJsQnRTS01NeHJubHFqV2piWFNQb0swSm1uUXdHNTczUFh3YnBLRnhkTStCSU5rWkJzZndVdjRjZ2l2Zmk0Q3pwb0xWRm5LLzYyVjRmUlRpUitXV3AzTVZUYXN5K1QyMWZHQnVOKzlMVXlzcCtLN28ra0NualZ4ZFY3OW1xY1oxQitoZEZkdHdOMHIvV0ZXTUJzV3pBc0FEN2JZRldaa0JMcm1kTmNPbkMxSjR2dzNLR1VIWEtLemdsN1pOck00eHdGaWZhUVc2Z2h5L2ZYOEsrTmJQK0luSjVYZmFIeVYxOGNPanhWTnZsWXNieWRmVHB2NEhYRzkxN3k4bG42L3JpL05lRFgxTCtrR1VzSEg2eEwxNnlqUUFvcWpZTjZVbDlKTTFnaGhKNmtSbTlvU01OeUZRN1dJV0c5UlJtSnJwTU14T2xlcFN6UVFRS0lHbFo3cUhJNVJ5SEdjTVUvZ3YwQ2FrenByQzNTSnRNNjhhYm9CMWZKalAvS0owOUhXZ2REbjYvMHNpZTJwT2d2TDhHUXlqV05BNkZtSHRUaU5tVnF2Qzh1dlhOTFEwR2g5V1VXVk9EbS96RWhCK2FMV2xqaVRiYjQ2NEdXUmE3KzNlTWVNWUJZOU9rWXdqMTFud29lWUNTc0paL0pTL0xiemY0ZnBSRU16dm9ZeWxid2x4ejdCM2dlVmY5N09XUnEraFZkaVhyMzRpYURVYXJyNlZJbEU1RHFXMGovWURMbWtPTHJ3WkxybHdnVUxkOE1sVWlReVJxeDZ5cmZJblZaQStxbEhVRlRaSzMwREMrbndIN3FwVDh5VnBIWmx0UldSQkhvS0lybFlkbG1URkdlWXFzWVpvbFF6b1R5bVVKTXBVTW1vbllnZ1NmSmpjQWRmbHBCZjVjekFmVytQcHBzZEMvSDJ0WG8rcFFuRjBVUjVza2luTzc5UENvbHZmMndKYkVrWnB0WkFPQWFDTUlqcnRENnl1R0ltbUtCbFJvUkFpaE1kS1UxaEoxRzFROEJFaU02NEFkQTBySDdEQTdyMGtxYksydWRLK3BrRmQvdDBzeTNCWHQ2RlR5RVFEbExrR0czdXFNYVo1RzJXZkRLV0F3OWFjbW85dEphbTY2WnNNb1lnZHlBcmNBYXJLSVlpRDR2V0FSdFJrQko0OTNsM3pBTkVCZlZTRTBEVWsxWkZWV2E2N1pVZ1pEU2YzV0dBeFRQYm0vREthMURsTFlkVW5qeWJGaFVlTUtPOVBHMkZQTnkzRW80eDJGT2tVQkUwbWw1NGp5RTJFODNHWVR6SXBLb0paTlphRGxGb0UxMDBPQ2NjNkd0K1I2STlzVFNpOXFKeTJOZGliRmxucUhYS1lPYVI2QjdnbmRFbnBneis0dDBVY0p5Z1pXSGljcWNIRUtaYlRPdGV5U1B2M3BHRit1OUpNL2Y4MlR4K0czSytsNXVLNHVJcnVQNUNVaU1ybnZnbE1Md0QxUHRQSWxjVHNwbWtia1VyTnVKMG5SK3ltdkU1VXRaTkNWK3VVQi9oMDRiR0traTZqMUR3NU4yMHNjanI3TkZSbG9PbmZva05JWlFoY0JaS0IwZklzZkkzZ1cvQzJkV2E1VVNSSTVoYWxsUndMZ1VPUzdJZElGN2ZIa0pKYnVtc3Q3OXArVjR3VW92R1Q1YjU1ZE9nNVNPK0xic09kRGI3MElhR2J6dVFuUnhibXdHOGlnZnpSRnRVaTJOSmFodW1uU0dEVGtJT2NsVFQxdFJmYUFUTmxVQXBFSkFKV3lNZHN3ZGU0OUoyaUs0dG5MaFR0ZmNsdDlpVXVaMHRUS2YwZ3A0eEJFVThGQVZUUFZ6Yld5YmF6eVBZcS81VGR3RkY3L3hla2VoLzZONzZ0L0k1MjExRVhsN0JZZkN2Q0lnOTRzVGVoUEg4K1B6ejVjWHczdVBseWUzd1VzNk0vS1h2cDhOUG9hcGtwcGpzbjdWS3FldEpsNWI3NnRmeWdYeDEvdFA1K3NCK3VPSjBPS0hBQVZSQWlBa3BKWnZiMW9XVzdxTDRmWlNKbEJMM2RoQjdrUlhUeXFJV290WEUyRDdRdEd0WFlncEM2RHFycG9DTWUvc0VDc1BIS3hmZjkybmVOQzRCR2pkYkg4STUxOUhRTjdxdC9COWZKdDh1T2lwSUx6M1JManRoVTZ6VEFwYXF4YWxWZFBvNk9MMXhDeFZpNTQyNDBXeU5OT3piNlordE1VR3dLQTdvMGttaFRYV0FvbnA1UTN4M1dSdEgrSlNEelZZQ1ZON2ZtMmVTWDlWVlYwTlBQTzlkZXVvQlpRQ3V1cERpQzRxS1dmNXVya3ovYjZZV2JOcllrOVF4TSt4RDJ0TnRkbklaVjVvbll3cE5TQ1Boc0JoV3lneDNKRlo1VXkwM2NrT2tYMTJLWkVKNURhNkh0dXlDVThYMWg4bUxMU1YrUmNzYlExbmZaZCtXcEVFelF1TGQ5K3RmZ1FGTHRKeitDbVBCWEhzZy9wR2Z1WG5rR2o4M1lnUFNQcTVwRHVPQWpJNGlYTGxTeHZRZ0lFRENoYy9WRi92L0RNaUo0NExRcFpNa1BhSjRqMTBIQTJBMUZMaENSRTdnRnZrZHRBQkFUVTZEeXloUTlyRkIwbWJRbXoyRWJrbGdGRW16R0J5MXBNbmJJUlgwYzJZK3lqZURpTWJ3MXFORWhTc0dsUWVFbFl2UTVIeStpd1FoNFc2d21NS281UERXZENGMWVNakhvZVBxOHFrYmVQTmdtb3Q0STJ5VmRBcDZxd0FKa0o0NU9wZWpLRGtXekc5MHBETnhWSTRtN3dwTWR3YVhVY3NTeXZvbmFiYk1lZzJJNm03Wnp0TUl3aWhJbEN3dHZPTnNwTEJMZVRwRlZ5aFhZRVRoSXQ0SWUzdi9MMDZyKy94MlBuNjNjd25jankyMk41NlcxT3VXSFlrYXVqQ25pTnpsdHI2SzBtNE0yK3ViMjZYUDkrdHR4ejZVdFBiazhmVjZEY2dFSmVHZVZWWXVSdEtjb3JOWVFGZXlxdVpWQnpKSHoxZGhsVUhJbkJ0K3BDOWx1c0ZuQW91cWk5eG9lak1DMXVhbnNCUElzUWhHZlNrME9xMDIraldHdWdjQkJwc1Y4bTdCTVJuUkxHS2JITEViQmNuUjhLbzg0Y1V2SzZsSktucXQwWHNhVkk3OFB3eFdHbm1EZDVQQW9TTzdBeG5meGpCclFsQlI2MHNUVnpwdXZ3OUNkNyttTGp6NWM2VG5uWVVnZkNDK01qYzllYldkUFVzVmZ5YnZCQkpmaHkrQm1RS0xXOUhzRUtZa2VpYitUM3lQTEF4K0lWRWgxemtOU2VrMW5qZXdtTytKNDFYNDdSWE5Hc3djckgzdzNaaXRrcnhnTWZZeXJvTVc5TURwUnY5RE83UWQ3YnlGa3VwaFo1Wjg0Y0V3RjU5cWxyK2FsYkVNTFhUOENMQlFEMitXd3VpK3hheXAyVTBzQWZVNEgyNXZobmEwTGl1ZW9UN2Vnc1RldkMwLzdDcy9iVlBMMEtuL0t6U1IwcmVKUzM0RkZFTkt4ODZOdXNobFhrR2EzaThGUzBSbHRvazVrUlowdDNBNU16NC9UYXZjQjBFMUtJZTh4Y0c2azNsY3RyYWFqZThxSTBaZ2pZUmFMbXRUdVpZQTZGSG5XTzJjSVhkKzc0cmhmc1l2bEE1SWdvTlpOS1dud0x4ZVhLOFprREpVRTdOYlFqR3FRNUs4WGpreGhJdFFaY2NqUlFLd2M1emVBSWJxYkNzMDNKUFFuek93SzhRMmMrZHRsdksvQk50NWVHKzI1Z2V2anZVUlprenB1bVRFblp3SXN1aW05YVBZT1hOcE1GVUhmb01WV0wvb0ZNUXhZMkNybTZQU3dBRWNwTEM5aDNYTGpQVldVNEFCNzVJcWQ5cXRJb3Q0b3V0VVJWT3RVaFFoTlFLVXFIYkVPbE9NVndxSGVlNVpUaWMzSy9ZM0dFZ1BJUm5Kd0NxT2Eya1c0NlV5Z25keWJBZi9XREI2Nkk3WGtCRmNXUWozSlFmcmxJdnp5MFh5N2lMNHY2bXpudENPUHdjcTVBNytUdDA5bWRnRDN0aUVEM3NqdDUrM2c0eGZSb3dCa05xTkVCU3ZDT0NnczZVVUNnVVhKUjR6UmwyblViODRCRjNGdis4S2tXaXloT2JOZ3BpeWdpOG56V2NDRC9kMG4rUmZMaUZhLytCN2tqVEVMbHVKdDN6U1RDQm9RMzNzU2FPMzh0L0dKSzBXVUw3SzB1NUIvbnJBYzM4NGg1bk9YQUl4cmxFUTFtZmJmRVBackwrdDZjWHpCVmlVRGFjbGxpaWpGOFdVMTlwL2ZObnVCblo5SThCTkJTY09oM2tGZkR4Q1pBcFRuTUQrM3IzRGszNTIvYTJmTm9PbjBEQS9temVLZVBKZ29VRHNIVmpZT3JjWGVlRGdWWDBZY2ppQWxCdlFEbVhNelNmVnpoMmVadU1PZHFpajhwZTFJcUVVcVdKbFAzMGVJalloV3ZjMjUrVDVYYWcwUHlVeEd6RVBCVHhiMzBJTkFvZEVpeUxOdXQ0bE9vV2dXQjNDZDZpQ3FZNnA4VFNxbWYrNlJRTTlYb0U3Z0QzM0RZK2ZJSUp3Z3NneGg5VUl5RUdVTk9PQzVkUDFTRG5FdHpHZXQ2bFJuUzd6WTVGNUZwRzdtTXVrRjFub05iSVdnTmxsRm42WkNLeVl3YW5jeFlHOVdXYnBjTTZaazZTZEFzelFwUVpSbU9PN3BKa2tWU3JZOWtQYWlqNEhwaHBneFMrUnRMaGNHei9neG0xVXdsMmhIbitRUy9ibTNQUVo4RUs1T0NHVE9pdU0vOHhFbEJNdDQwS0V1UmZsTDNYaDNJZ3U1MUlwb0I4NTZnblUyNWRNeW1NYThhQllLUjJ0MlloZmxQbHZLMVZWR3p4Y29aa3kwZ09OcXg1WmxVMjVFMUNCaTVWZHhqRVkzVUgrNFVLdDh6dnk5dzdySTk5RnA4TjcwVzZjSlVhSFpnblZmcFUwNHpjYVFSSVJLNFIzL2grM0dHcGFHSC95NVAxdDkrLzFVZngvOTdNWUJxbmM2Z1Z3bm42Qi9vQ1o0ZnpLMWtQMEVOYXRuVlZzdCtLa2VpVkVWemUwb3pjV0w3WlNmOXdIWEtIU0xRRHB3ZW9qSXBmUTJxVllISVBmRWN2QVI0NG9hVGRYeTFtSjZ0Zm4rMGZrblgvNDFPem02dG14OGZTK0RJRDNrQi8zck1yeXMxM1EzaU50bVlkQjVUcExPWnVrb3pRSjBWNHp0UEM0amllL25tVjFGOHI2UjJNdzNrd0t2VFRJRXVwQkJaOENZTnlaSmZsN045TzI0ZnpiUXVCUkIxR2dDaG8rcHRQbHBLZWwwbkVDTENoaHc0NEhic0lXNEhnNzJuN0I1TEdpODZadDFlemRFTHRVajhlekZGYnpwNHZ5UUNSa3lOeGhxQTJHL09NZ3lwY1NCdjYwNTk2aTd3bXg5WnZ0WElkRS9XUERCUGowK3ZtNXZ2dzVrOXRZUFg3RnVUUmxxcWZMT3hKZDNJeDBrYUgySHJ0NEVKUTFUam1UVjN4a0ZHUllBYThjME9QQUFFSTJZRDMxWXhxdWxlQWpGaWxtcDVmblFIaFJXU3BlVndISERHQXRFaTdnQ1Era0NudWxyMm1uSUFTSkcrR1VVVEZGcXozU2pPeUVZOG9FNlZNYk5YelBNVVZLL1NvMUw0RklGdU1zeVluVlFVaFd4NzZMbkxaYThKeG1BTmg0aEU4TlZ4ZHpTV0IwUmdMV2tlY09KOE54L2g5ZDM1NThIL3BrKy9ibTVudng5S0hBNE44b0E5eTZnd2IxK1hrOW5OTS9qbzY5bzlITDE0OW5rdityRHRwRlJFdDlGc1EwRUkwZHk2ckVGVlVVd1ZnaXpmVVZycjFrMjE0WVFDd1ZObDR5RVZzenZvK0ROVENkbkpBdHh0ODVLVTRjWHpFand1Zi8yNlhLei9XNi84cDhtUFQ0NzFaZnoxd0ZaeTJJb29DRFNYL1FEUkRJOTBtMUtqalRhbGhwbmpUV2diclZreHkvTXBTb2UwelJQVzNIZThSUTd4R05ZbFNyL2RSeTVxTzg5Q3lOZUFjOG1ZOW5qTW5ORW9JSXNVemNiNFVZRVRnZ2VJa2srSWNSQ0I2eVpKczQxR0lFS3BkY01MQUVlOGIxZWVZL1pqWmo4aVY4V1RDejlpUTlsd2FZWmVIT2JOc3ZjVVR5ZmZsY090UlRpcmFBUzN5Tktya05GdUtOa0FibU1HSE5aNjB2cGExcHhUR3MwYVpiVTIydHNteXZ3Mmp1ZEtKVnk5Yk1BMmpMZ040ellZRXo4SzI3RHcrakdDUG9Xemp4RTBnUlR0SS9ENmVDZVVreGdQWmVrVkdDK0h5TTNlUlc2b1FtZXcrOUt2aTlOd0diSzQrUkVYRklyb0pMRDNUWkFHNlVhUllOOEhoMDBPNVVTUS9YaFRpYS9QVWhaU2tzaGRKVUQwUEF1b1FGay94SnYySzk1RTQ4UUREdlRJcnVzc2NXNHJSL1FzclJucE5VK3NlWGMrelczd2tqUlI0SFJEU0s5dHJsb0ZwWGU3dHJkVENiK2JXS3FVdU1zakxTckppZXZRQXVjQW53OU9id1VoMHErT3Z3UWEydFFaT3ZhU1A0aXJtNEVZcGh4U05NQ3Z0aW0yalZuSEZPM21TaHZKZFByY3hRV09YRlR3WmxIcktCNWZ4WFNUNGp1NUoyc0J6ekJjZVMreHRaYnhkN0hHVzk0YUZiV3JBR1ZTVllYenpUR3BLR2NWMHk1WHZPTWxQVlAxb3R6SU5RZXpqd3FVN0VSdDlpdUFrYjVXVG5aeFFEc1Z3eStodjNnSVlrekxNQVZDZlBCbmV4MFI3N29DNlJib2pnb1UwZFdLM2RVSFdxNUJ5ejJLbU5XRy9DTVNqYnBhbTVxWm9rRFJXQmpicUlST3V0OFdNWXZRY0ZLRmloYTFqWmFBNCtmUUZqTVVhWlhPR0JNUHB1S2g2eTNjQ3IxS0ZzbDFoUnVVc0ZZZjE4Ymp0QS9rdXp5SzlkUURYVGRBMTZCV1EyNldoTXlzbzFNMktJa28zaldJbWdrQXRhNlFCbGtmYi9TekczUzlCWlVZNXJ0aUVrcE0rbndLMFdSeFFlV0JKRGRYbTZQbHN5RkZLcmh0dkNvbGY3SnBYaktOeFM2T2hGRThNYWplNVN1aTF5emg5K2c3M0xFYzl0dzMvTkVTb1JwbURJOEVxWGpzdWJQQXE5TmJlUFlzSlZUVFhpQmgwdDY4djYraTV0SDk1YWNWK0hNeEgxamo2NmZGUXY5K3JGMk5RaFNMcnROOTVQNloybU4vNzlsQU05WXpIUklFa2dMNldvcDZxUm5GRytBd0UydUZFd3V6Z1d6UENHRHNqQWtRQkx1c09adFE2eUJXeHFWTHoxMHRXcU5VcGhPM0tNM0srMEN6KzB5a0RTVU4wS2tyQ2JScGRVZ2VoaXJwcVlUcGtBYTg2cFEwVGtvMXJObmp5TXAyM0MyUnhEaE5zcXFUS29WelIrb3YwOVIzK3RNeHZsenBKMy8rbWllUHcyOVgwdk53ZmZCS2JjRjZyZHlTTnk4ZlV1c3JXWmV1VVI4Vml6TlpiZGRVZDFSaVFtaXlGSnFqbmp2bFFpV0lrOGRCT3JVc25acHkyZEo5cmd6UkFpSE9WR2JKVk8vR1p6dHpsc3V3WVlEa2pnVUZrLzlreC9TRmxvQzRvemNJMDBRRUtpYlJlSFJxWFN6L1NHZGZ4OENlNm5kd3ZYeWIvTGdvS1FVNGtPbm1VZ3cyNDRJMXFVcTUraEtNbWFtMitPcGxQYkE5bXR4M1JhWjFhMjBxRTNiZEM5VmdCWFV2RlRDUG0rdmpISGQwUThyd0laVFR1akljSVZSdDZqR2lzeVJxOTBobWFuR3FkMGlPSHBWS0grOUI2ckYyTHUvM0pFYWJKVlYraS9RRHFlNkwzVXFyMC9WVG8raVo0dlpjMVVuVnlFelVGWWtmZzRVRWI2UVhOVGpJYys0S0VtQTBINXJwdVVidWszQTM4NE90M0hhNHBTSGhDUUFOMUVVVGtyaXh6RXhWTzdLYWZkYXV4RlhyS3F4UlJVcXpQbHd1M1JVWGdSem9yZ2xSYURaQ2VJWmg5clBPVWwwMis0WlprL2hNU1dTNkNxa05KditwZDAyRFVTalRlM0dRVkx4MjVzK0JXQXk5dTJMUmxQc0JHZjRORGJwd3ZRRWNoTkRXMTF4YzZ6cDZLcityNWlHRHYzWGlOQnB5SWRPWjl5WXR5aXE0a09tbUkvWHpqU2o1MnFQTjB5MFM1WmR2UnlGK1M2NUdtcHh4RW9DbnlOTHQ2aEdkaXZlU3dtYU9sN2RHVTY1aVdMa0RXVzJzYXlwcUkwU2wwcjN1YW1mMDBUTXB0VWtxbXdxNFMzZHZTZkxPTjlMczByY2VzYVNUZ29aUFhLMXhXeGs4WEYvTXdXMjZCYmRwTTc0WWpSSnhHeVR4NktCc3FncU9VNFAvdEIxUlBIRVNmSnhTaXo1dkwwY1Z6WEZ2Q3ViS041MWkyeGExSDJLdExZdGVveGxqMDlRQmpab0taSXF3eEUxTnMzd3lZWG8zVE83emRvVGFtWXhad1JESkNkWjJ1VEVXWGpwK0dFczVUV0lwVXMxYXRqYVQ3UGtNWUM5MDczZVVaUSthU2JJM1lKYnNBSkNrdmxtM0FzNVFCV2JyWkx2WmpUUG1zelRDTlUrMWZTQ1JmYWFKaHBMYVRVYUpsYzErYlhjc0xKOXMzeFBiNjRaRGFGZzdhUkg1aFVLVTNiYnlodGpyRm9SakdyamVGM2RFamw5aGJKMTVFQUo2QzhDVWc0YTRteU1wVjFBTkN2czJKYzJhb2c1TmFhNDJNMTh1THFlWHRtTmRQbjhEdno5ZHJtLy9IcklzVzdEenBiNGtaeWk5cHpWajZ1dFVmbVFOak9HOG1ScnQ5dEFZNUV3YUxwQm92Z1Rlb1FTR1p1Tk9MQ0xZTXh0ZjVFY2xxSnROdWN0R2syUVJkb0orTW9QQmVlKzA2SzdiZTNIWGJjcVhhM3VDTzVoTEg5M3BxUDFIdVhtZFkvTlFUQUNVdFBERC9GL0xvTHRtbS9raG9SQzU0ZUw2VFY0YkN2UGcvVzNiKzl0UWpZeXBOeVVSVExWa0ptRTFWNkZTRHVoeWdEWUZSaFFJS3ZZSEhjZFlsN1VUOEhKam9ZS2FIQ0pGb0ZLVWpNbFhvc2szcGRPaFRSVW1NZFg4OENxLzI5UmVJQ25zR1ZGTGZWMkNiWFRLVU9qMlU3VVRGK2labUZ6ZGpWUzlxZ0R1OU4xb21oazVvVVVmZ0IyeURSRDNYUVNSOE53TDE4ZDFPTllVZy9KS3N4VUpIRytHNHNKWEhVUTh4Y29oTTdIdFVGRXptZ0hkQUZXdG5ROE10WktaeElORUV2ZEp0MkpKRXJ0UmFjZHVqRk9ESytrRjI4cEpidkk2YlZxcXB6ZmZCdTAvQVdWRlNqUHMzMnZycXQvc1A2dXdCZXZDSW1GRExDaU83d2NWUW9JR3N0dENocDJvalVhOEpkN1hQVkV3OFpaQ200ZUpxb2ttVjhsb0JXM0tlVW9uQWRwVVkxVlZvNHBLK09ibFFZYTBubHlrVlZWS2N6ZzJyWHZWbGlMTVRQV0xTaWdNN08zWmw4SktvWmdKU2JxdHBYRk5CTXUzUkRzMUh6TFY5eU9PcitOK0NpeUVYZHl6U3UrclRTRG5GVjRGbW5MUlZXcVRaL1I3Sys0ZjJJNTZWd3RmUHU1U0ZGVjlwVG9DcFNtWFgyUnlvTnkyUldSam5mY296NmxXT3g4ZVFBcVFUNjNldHU5OTVocDhzeGVJOWl3L2pKYXhFck9DLzNhbllUU2svdnZlYXVuajFxWm9FdGkzWnRaZlJEU3Z5LzdRblpWNGlzUTVEby9OOEozQzhvSFB0S3NoNk0xd0dUcXJxYjQ3aCs3QlhOK2QwNk9DVHoxNnBsWWRPa0tOYUJqM2lJUVlTSURaT1hVbkUwU0ZmWllHYTBhRWdvU2djamNKaDJ5Rm02cjlldjUxS2kwK1RWNitmN0pPTDY3QnI4Vlg3NUNYMkRZRlJ6S3Q0VkN0WW1wOXFzT0VlTENXbnFzMndKRk1LZXVOVXZBSHozWDlaQlJ1dm9lVDZmQ3Avd2M9PC9kaWFncmFtPjwvbXhmaWxlPg=="}}