SEC03-BP07 Analyze public and cross-account access
Continually monitor findings that highlight public and cross-account access. Reduce public access and cross-account access to only the specific resources that require this access.
Desired outcome: Know which of your AWS resources are shared and with whom. Continually monitor and audit your shared resources to verify they are shared with only authorized principals.
Common anti-patterns:
-
Not keeping an inventory of shared resources.
-
Not following a process for approval of cross-account or public access to resources.
Level of risk exposed if this best practice is not established: Low
Implementation guidance
If your account is in AWS Organizations, you can grant access to resources to the entire organization, specific organizational units, or individual accounts. If your account is not a member of an organization, you can share resources with individual accounts. You can grant direct cross-account access using resource-based policies — for example, Amazon Simple Storage Service (Amazon S3) bucket policies — or by allowing a principal in another account to assume an IAM role in your account. When using resource policies, verify that access is only granted to authorized principals. Define a process to approve all resources which are required to be publicly available.
AWS Identity and Access Management Access AnalyzerPrincipalOrgId
condition key to deny an attempt to assume a role from outside your AWS Organizations
AWS Config can report resources that are misconfigured, and
through AWS Config policy checks, can detect resources that have
public access configured. Services such as
AWS Control Tower
Implementation steps
-
Consider using AWS Config for AWS Organizations: AWS Config allows you to aggregate findings from multiple accounts within an AWS Organizations to a delegated administrator account. This provides a comprehensive view, and allows you to deploy AWS Config Rules across accounts to detect publicly accessible resources.
-
Configure AWS Identity and Access Management Access Analyzer: IAM Access Analyzer helps you identify resources in your organization and accounts, such as Amazon S3 buckets or IAM roles that are shared with an external entity.
-
Use auto-remediation in AWS Config to respond to changes in public access configuration of Amazon S3 buckets: You can automatically turn on the block public access settings for Amazon S3 buckets
. -
Implement monitoring and alerting to identify if Amazon S3 buckets have become public: You must have monitoring and alerting
in place to identify when Amazon S3 Block Public Access is turned off, and if Amazon S3 buckets become public. Additionally, if you are using AWS Organizations, you can create a service control policy that prevents changes to Amazon S3 public access policies. AWS Trusted Advisor checks for Amazon S3 buckets that have open access permissions. Bucket permissions that grant, upload, or delete access to everyone create potential security issues by allowing anyone to add, modify, or remove items in a bucket. The Trusted Advisor check examines explicit bucket permissions and associated bucket policies that might override the bucket permissions. You also can use AWS Config to monitor your Amazon S3 buckets for public access. For more information, see How to Use AWS Config to Monitor for and Respond to Amazon S3 Buckets Allowing Public Access .
When reviewing access controls for Amazon S3 buckets, it is important to consider the nature of the data stored within them. Amazon Macie is a service designed to help you discover and protect sensitive data, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and credentials like private keys or AWS access keys.
Resources
Related documents:
Related videos: