Skip to content

2023-10-02

Latest
Latest
Compare
Choose a tag to compare
@jon-trust jon-trust released this 02 Oct 01:50
2023-10-02
2e37bc2 
============================
Summary change log
============================
New control: controls.S3.C162
New control: controls.S3.C163
New: DFD added to the JSON
Updated: threats.S3.T37.cvss
Updated: threats.S3.T37.cvss_severity
Updated: threats.S3.T37.cvss_score
Updated: threats.S3.T39.cvss
Updated: threats.S3.T39.cvss_severity
Updated: threats.S3.T39.cvss_score
Updated: controls.S3.C58.description
Updated: controls.S3.C61.depends_on
Updated: controls.S3.C62.description
Updated: controls.S3.C64.description
Updated: controls.S3.C68.description
Updated: controls.S3.C96.description
Updated: controls.S3.C96.testing
Updated: controls.S3.C136.description
Updated: controls.S3.C136.testing
Updated: controls.S3.C146.description
Updated: controls.S3.C154.description

============================
Full change log
============================
New control: controls.S3.C162 "Block requests not using DSSE-KMS when required (e.g. by using an SCP and/or an IAM policy on requestParameter.bucketName with a deny statement on "s3:x-amz-server-side-encryption" = "aws:kms:dsse")."
New control: controls.S3.C163 "Monitor requests not using DSSE-KMS when required (e.g. using CloudTrail log event name(s) CloudTrail S3 data events with field(s) requestParameter.bucketName and "response.x-amz-server-side-encryption-aws")."
New: DFD added to the JSON
Updated: threats.S3.T37.cvss
From: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
To:   "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L"
Updated: threats.S3.T37.cvss_severity
From: "High"
To:   "Medium"
Updated: threats.S3.T37.cvss_score
From: "7.2"
To:   "6.9"
Updated: threats.S3.T39.cvss
From: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
To:   "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
Updated: threats.S3.T39.cvss_severity
From: "Medium"
To:   "High"
Updated: threats.S3.T39.cvss_score
From: "6.5"
To:   "7.5"
Updated: controls.S3.C58.description
From: "Track all buckets you control, define their authorized data classification, identify whether the hosted data is primary (i.e. source of truth, for example logs, backups, forensic data, raw data, etc.) or an input/output of a process (e.g. file-processing, software package, etc.), their WORM requirements (e.g. SEC 17a-4, CTCC, etc.), if they are production/non-production (preferably done at account-level), their storage class. You may use tags, Infra-as-code, AWS Glue Data Catalog, or external management tools like <a href="https://finraos.github.io/herd/">FINRA herd</a>)."
To:   "Track all buckets you control, define their authorized data classification, identify whether the hosted data is primary (i.e. source of truth, for example logs, backups, forensic data, raw data, etc.) or an input/output of a process (e.g. file-processing, software package, etc.), their WORM requirements (e.g. SEC 17a-4, CTCC, etc.), if they are production/non-production (preferably done at account-level), their storage class, and their dual-layer server-side encryption requirement (e.g. for NSA CNSSP 15, or DAR CP). You may use tags, Infra-as-code, AWS Glue Data Catalog, or external management tools like <a href="https://finraos.github.io/herd/">FINRA herd</a>)."
Updated: controls.S3.C61.depends_on
From: ""
To:   "S3.C58"
Updated: controls.S3.C62.description
From: "Verify all objects on S3 buckets are encrypted with an authorized KMS key (e.g. using S3 inventory, see <a href="https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/">blog</a>, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_metrics_types">S3 Storage Lens</a> UnencryptedObjectCount and SSEKMSEnabledBucketCount)."
To:   "Verify all objects on S3 buckets are encrypted with an authorized KMS key (e.g. using S3 Inventory, see <a href="https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/">blog</a>, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_metrics_types">S3 Storage Lens</a> UnencryptedObjectCount and SSEKMSEnabledBucketCount)."
Updated: controls.S3.C64.description
From: "Implement an authorized default encryption key on each bucket; and enable S3 Bucket Key, if CloudTrail events are not required for KMS encrypt/decrypt (note: Amazon S3 evaluates and applies bucket policies before applying bucket default encryption settings)."
To:   "Implement an authorized default encryption key on each bucket; and enable S3 Bucket Key if not DSSE-KMS, if CloudTrail events are not required for KMS encrypt/decrypt (note: Amazon S3 evaluates and applies bucket policies before applying bucket default encryption settings)."
Updated: controls.S3.C68.description
From: "Monitor that only authorized KMS key(s) are used on each bucket (using CloudTrail S3 data events in <i>requestParameter.bucketName</i> and <i>response.x-amz-server-sIDe-encryption-AWS-kms-key-ID</i>)."
To:   "Monitor that only authorized KMS key(s) are used on each bucket (using CloudTrail S3 data events in "requestParameter.bucketName" and "response.x-amz-server-side-encryption-aws-kms-key-id")."
Updated: controls.S3.C96.description
From: "Maintain a list of authorized S3 buckets to receive S3 inventory of each bucket."
To:   "Maintain a list of authorized S3 buckets to receive S3 Inventory of each bucket."
Updated: controls.S3.C96.testing
From: "Request the list of authorized bucket(s) to receive S3 inventory of each bucket, its review process, and its review records."
To:   "Request the list of authorized bucket(s) to receive S3 Inventory of each bucket, its review process, and its review records."
Updated: controls.S3.C136.description
From: "Ensure only authorized S3 buckets are configured to receive S3 inventory for each bucket."
To:   "Ensure only authorized S3 buckets are configured to receive S3 Inventory for each bucket."
Updated: controls.S3.C136.testing
From: "Request 1) the mechanism ensuring only authorized S3 buckets are configured to receive S3 inventory for each bucket, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets."
To:   "Request 1) the mechanism ensuring only authorized S3 buckets are configured to receive S3 Inventory for each bucket, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets."
Updated: controls.S3.C146.description
From: "For buckets (or paths) requiring SSE-C, block PutObject requests with unauthorized encryption (e.g. using an S3 bucket policy deny statement on PutObject if the condition "s3:x-amz-server-side-encryption-customer-algorithm"="AES265" is not present)."
To:   "For buckets (or paths) requiring SSE-C, block PutObject requests with unauthorized encryption (e.g. using an S3 bucket policy deny statement on PutObject if the condition "s3:x-amz-server-side-encryption-customer-algorithm"="AES256" is not present)."
Updated: controls.S3.C154.description
From: "Verify bucket ACL and object ACL are disabled on each bucket (e.g. using the AWS Config rule <a href="https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html">S3_BUCKET_ACL_PROHIBITED</a> for bucket ACL, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_metrics_glossary.html">S3 Storage Lens</a> ObjectOwnershipBucketOwnerEnforcedBucketCount)."
To:   "Verify bucket ACL and object ACL are disabled on each bucket (e.g. using the AWS Config rule <a href="https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html">S3_BUCKET_ACL_PROHIBITED</a> for bucket ACL, <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_metrics_glossary.html">S3 Storage Lens</a> ObjectOwnershipBucketOwnerEnforcedBucketCount, or S3 Inventory which include object ACL metadata)."
============================
Assets 2
Loading