Amazon Simple Storage Service controls
These controls are related to Amazon S3 resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[S3.1] S3 Block Public Access setting should be enabled
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, CIS AWS Foundations Benchmark v1.4.0/2.1.5, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Medium
Resource type: AWS::::Account
AWS Config rule:
s3-account-level-public-access-blocks-periodic
Schedule type: Periodic
Parameters:
-
ignorePublicAcls
:true
-
blockPublicPolicy
:true
-
blockPublicAcls
:true
-
restrictPublicBuckets
:true
This control checks whether the preceding Amazon S3 public access block settings are configured
at the account level. The control fails if one or more of the public access block settings are set to
false
.
The control fails if any of the settings are set to false
, or if any of the
settings are not configured.
Amazon S3 public access block is designed to provide controls across an entire AWS account or at the individual S3 bucket level to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets be publicly accessible, you should configure the account level Amazon S3 Block Public Access feature.
To learn more, see Using Amazon S3 Block Public Access in the Amazon Simple Storage Service User Guide.
Remediation
To enable Amazon S3 Block Public Access for your AWS account, see Configuring block public access settings for your account in the Amazon Simple Storage Service User Guide.
[S3.2] S3 buckets should prohibit public read access
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Critical
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-public-read-prohibited
Schedule type: Periodic and change triggered
Parameters: None
This control checks whether your S3 buckets allow public read access. It evaluates the block public access settings, the bucket policy, and the bucket access control list (ACL). The control fails if an Amazon S3 bucket permits public read access.
Some use cases may require that everyone on the internet be able to read from your S3 bucket. However, those situations are rare. To ensure the integrity and security of your data, your S3 bucket should not be publicly readable.
Remediation
To block public read access on your Amazon S3 buckets, see Configuring block public access settings for your S3 buckets in the Amazon Simple Storage Service User Guide.
[S3.3] S3 buckets should prohibit public write access
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Critical
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-public-write-prohibited
Schedule type: Periodic and change triggered
Parameters: None
This control checks whether your S3 buckets allow public write access. It evaluates the block public access settings, the bucket policy, and the bucket access control list (ACL). The control fails if an Amazon S3 bucket permits public write access.
Some use cases require that everyone on the internet be able to write to your S3 bucket. However, those situations are rare. To ensure the integrity and security of your data, your S3 bucket should not be publicly writable.
Remediation
To block public write access on your Amazon S3 buckets, see Configuring block public access settings for your S3 buckets in the Amazon Simple Storage Service User Guide.
[S3.4] S3 buckets should have server-side encryption enabled
Important
Security Hub will remove this control in September 2023. For more information, see Change log for Security Hub controls.
Related requirements: PCI DSS v3.2.1/3.4, CIS AWS Foundations Benchmark v1.4.0/2.1.1, NIST.800-53.r5 AU-9, NIST.800-53.r5 AU-9(2), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-server-side-encryption-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon S3 bucket either has server-side encryption (SSE-S3, SSE-KMS, or DSSE-KMS) enabled or that
the S3 bucket policy explicitly denies PutObject
requests without server-side
encryption.
For an added layer of security for sensitive data in S3 buckets, you should configure your buckets with server-side encryption to protect your data at rest. Amazon S3 encrypts each object in the bucket with a unique key. As an additional safeguard, Amazon S3 encrypts the key itself with a root key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256). Unless you specify otherwise, S3 buckets use Amazon S3 managed keys (SSE-S3) by default for server-side encryption. For added control, such as managing key rotation and access policy grants, you can choose to use server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) or dual-layer server side encryption with AWS KMS keys (DSSE-KMS).
Remediation
Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. You can elect to use server-side encryption with AWS KMS keys (SSE-KMS), or dual-layer server-side encryption with AWS KMS keys (DSSE-KMS). For instructions on electing one of these options, see Configuring default encryption in the Amazon Simple Storage Service User Guide.
[S3.5] S3 buckets should require requests to use Secure Socket Layer
Related requirements: PCI DSS v3.2.1/4.1, CIS AWS Foundations Benchmark v1.4.0/2.1.2, NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6)
Category: Protect > Secure access management
Severity: Medium
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-ssl-requests-only
Schedule type: Change triggered
Parameters: None
This control checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
S3 buckets should have policies that require all requests (Action: S3:*
) to
only accept transmission of data over HTTPS in the S3 resource policy, indicated by the
condition key aws:SecureTransport
.
Remediation
To update an Amazon S3 bucket policy to deny nonsecure transport, see.Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide.
Add a policy statement similar to the one in the following policy. Replace
awsexamplebucket
with the name of the bucket you're modifying.
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::awsexamplebucket", "arn:aws:s3:::awsexamplebucket/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] }
For more information, see the Knowledge Center article What S3 bucket policy
should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?
[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2
Category: Protect > Secure access management > Sensitive API operations actions restricted
Severity: High
Resource type:
AWS::S3::Bucket
AWS Config rule: s3-bucket-blacklisted-actions-prohibited
Schedule type: Change triggered
Parameters:
-
blacklistedactionpatterns
:s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl
This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket. The control fails if the S3 bucket policy allows one or more of the preceding actions for a principal in another AWS account.
Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker.
The blacklistedactionpatterns
parameter allows for successful evaluation of
the rule for S3 buckets. The parameter grants access to external accounts for action patterns
that are not included in the blacklistedactionpatterns
list.
Remediation
To update an Amazon S3 bucket policy to remove permissions, see.Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide.
On the Edit bucket policy page, in the policy editing text box, take one of the following actions:
-
Remove the statements that grant other AWS accounts access to denied actions.
-
Remove the permitted denied actions from the statements.
[S3.7] S3 buckets should have cross-Region replication enabled
Related requirements: PCI DSS v3.2.1/2.2, NIST.800-53.r5 AU-9(2), NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-36(2), NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Protect > Secure access management
Severity: Low
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-replication-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon S3 bucket has cross-Region replication enabled. The control fails if an S3 bucket doesn't have cross-Region replication enabled.
Replication is the automatic, asynchronous copying of objects across buckets in the same or different AWS Regions. Replication copies newly created objects and object updates from a source bucket to a destination bucket or buckets. AWS best practices recommend replication for source and destination buckets that are owned by the same AWS account. In addition to availability, you should consider other systems hardening settings.
Remediation
To enable Amazon S3 bucket replication, see the Configuring replication for source and destination buckets owned by the same account in the Amazon Simple Storage Service User Guide. For Source bucket, choose Apply to all objects in the bucket.
[S3.8] S3 Block Public Access setting should be enabled at the bucket-level
Related requirements: CIS AWS Foundations Benchmark v1.4.0/2.1.5, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure access management > Access control
Severity: High
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-level-public-access-prohibited
Schedule type: Change triggered
Parameters:
-
excludedPublicBuckets
(Optional) – A comma-separated list of known allowed public S3 bucket names
This control checks whether S3 buckets have bucket-level public access blocks applied. This
control fails is if any of the following settings are set to false
:
-
ignorePublicAcls
-
blockPublicPolicy
-
blockPublicAcls
-
restrictPublicBuckets
Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature.
Remediation
For information on how to remove public access at a bucket level, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.
[S3.9] S3 bucket server access logging should be enabled
Related requirements: NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8)
Category: Identify > Logging
Severity: Medium
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-logging-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether server access logging is enabled for S3 buckets. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configuration. This control passes if server access logging is enabled. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.
Server access logging provides detailed records of requests made to a bucket. Server access logs can assist in security and access audits. For more information, see Security Best Practices for Amazon S3: Enable Amazon S3 server access logging.
Remediation
To enable Amazon S3 server access logging, see Enabling Amazon S3 server access logging in the Amazon S3 User Guide.
[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Identify > Logging
Severity: Medium
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-version-lifecycle-policy-check
Schedule type: Change triggered
Parameters: None
This control checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. This rule fails if Amazon S3 lifecycle policy is not enabled.
It is recommended to configure lifecycle rules on your Amazon S3 bucket as these rules help you define actions that you want Amazon S3 to take during an object's lifetime.
Remediation
For more information on configuring lifecycle on an Amazon S3 bucket, see Setting lifecycle configuration on a bucket and Managing your storage lifecycle.
[S3.11] S3 buckets should have event notifications enabled
Related requirements: NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(4)
Category: Identify > Logging
Severity: Medium
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-event-notifications-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether S3 Event Notifications are enabled on an Amazon S3 bucket. This control fails if S3 Event Notifications are not enabled on a bucket.
By enabling Event Notifications, you receive alerts on your Amazon S3 buckets when specific events occur. For example, you can be notified of object creation, object removal, and object restoration. These notifications can alert relevant teams to accidental or intentional modifications that may lead to unauthorized data access.
Remediation
For information about detecting changes to S3 buckets and objects, see Amazon S3 Event Notifications in the Amazon S3 User Guide.
[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets
Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6
Category: Protect > Secure access management > Access control
Severity: Medium
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-acl-prohibited
Schedule type: Change triggered
Parameters: None
This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets.
ACLs are legacy access control mechanisms that predate IAM. Instead of ACLs, we recommend using IAM policies or S3 bucket policies to more easily manage access to your S3 buckets.
Remediation
To pass this control, you should disable ACLs for your S3 buckets. For instructions, see Controlling ownership of objects and disabling ACLs for your bucket in the Amazon Simple Storage Service User Guide.
To create an S3 bucket policy, see Adding a bucket policy by using the Amazon S3 console. To create an IAM user policy on an S3 bucket, see Controlling access to a bucket with user policies.
[S3.13] S3 buckets should have lifecycle policies configured
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Protect > Data protection
Severity: Low
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-lifecycle-policy-check
Schedule type: Change triggered
Parameters: None
This control checks if a lifecycle policy is configured for an Amazon S3 bucket. This control fails if a lifecycle policy is not configured for an S3 bucket.
Configuring lifecycle rules on your S3 bucket defines actions that you want S3 to take during an object's lifetime. For example, you can transition objects to another storage class, archive them, or delete them after a specified period of time.
Remediation
For information about configuring lifecycle policies on an Amazon S3 bucket, see Setting lifecycle configuration on a bucket and see Managing your storage lifecycle in the Amazon S3 User Guide.
[S3.14] S3 buckets should use versioning
Category: Protect > Data protection > Data deletion protection
Related requirements: NIST.800-53.r5 AU-9(2), NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5)
Severity: Low
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-versioning-enabled
Schedule type: Change triggered
Parameters: None
This control checks if your Amazon S3 buckets use versioning. The control fails if versioning is suspended for an S3 bucket.
Versioning keeps multiple variants of an object in the same S3 bucket. You can use versioning to preserve, retrieve, and restore earlier versions of an object stored in your S3 bucket. Versioning helps you recover from both unintended user actions and application failures.
Tip
As the number of objects increases in a bucket because of versioning, you can set up lifecycle policies to
automatically archive or delete versioned objects based on rules. For more information, see
Amazon S3 Lifecycle Management for Versioned Objects
Remediation
To use versioning on an S3 bucket, see Enabling versioning on buckets in the Amazon S3 User Guide.
[S3.15] S3 buckets should be configured to use Object Lock
Category: Protect > Data protection > Data deletion protection
Related requirements: NIST.800-53.r5 CP-6(2)
Severity: Medium
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-bucket-default-lock-enabled
Schedule type: Change triggered
Parameters: None
This control checks if an Amazon S3 bucket has been configured to use Object Lock. The control fails if the S3 bucket isn't configured to use Object Lock.
You can use S3 Object Lock to store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects in S3 buckets from being deleted or overwritten for a fixed amount of time or indefinitely. You can use S3 Object Lock to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion.
Remediation
To configure Object Lock for a new S3 bucket, see Using S3 Object-Lock in the Amazon S3 User Guide.
After creating a bucket, you can't change its Object Lock configuration. To configure Object Lock for an
existing bucket, contact AWS Support
[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys
Category: Protect > Data protection > Encryption of data at rest
Related requirements: NIST.800-53.r5 SC-12(2), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 SI-7(6), NIST.800-53.r5 AU-9
Severity: Medium
Resource type:
AWS::S3::Bucket
AWS Config rule:
s3-default-encryption-kms
Schedule type: Change triggered
Parameters: None
This control checks if an Amazon S3 bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if an S3 bucket is encrypted with default encryption (SSE-S3).
Server-side encryption (SSE) is the encryption of data at its destination by the application or service that receives it. Unless you specify otherwise, S3 buckets use Amazon S3 managed keys (SSE-S3) by default for server-side encryption. However, for added control, you can choose to configure buckets to use server-side encryption with AWS KMS keys (SSE-KMS or DSSE-KMS) instead. Amazon S3 encrypts your data at the object level as it writes it to disks in AWS data centers and decrypts it for you when you access it.
Remediation
To encrypt an S3 bucket using SSE-KMS, see Specifying server-side encryption with AWS KMS (SSE-KMS) in the Amazon S3 User Guide. To encrypt an S3 bucket using DSSE-KMS, see Specifying dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) in the Amazon S3 User Guide.