Quick Start Security for Amazon S3
Thank you!
We got your information.
Coralogix Extension For Amazon S3 Includes:
Alerts - 19
Stay on top of Amazon S3 key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Bucket Encryption Has Been Deleted
This rule monitors if the default encryption has been disabled. Impact Disabling encryption is not advised and could be a first step before replicating and exfiltrating data by an adversary. Mitigation Check why bucket encryption has been deleted and verify this was an authorized action. Revert and fhurter investigate if not.
Public Access Block Has Been Deleted
This rule monitors for the removal of the PublicAccessBlock configuration for an Amazon S3 bucket. Impact Removing the public access block configuration exposes the bucket to the internet. This can lead to data leakage and information disclosure. Mitigation Check why did public access block was deleted and if the action was authorized, revert and further investigate if not.
Public Access Block Has Been Created/Modified
This rule monitors for the creation or modification of the PublicAccessBlock configuration for an Amazon S3 bucket. Impact Changing the public access block configuration can potenially expose the bucket to the internet or block it - depending on the configuration. This can lead to data leakage and information disclosure or blocking a bucket from serving dependent services that rely on him (as websites). Mitigation Check why did public access block was changed and if the action was authorized, revert and further investigate if not.
A Bucket Has Been Deleted
This rule monitors for the deletion of an S3 bucket. Impact Deletion of a bucket should be verified as it could lead to data loss of it was unintened or malicous activity Mitigation Verify that the deletion was authorized and investigate further if not.
Access Logging Has Been Disabled
The AWS alert indicates that access logging for an Amazon S3 bucket has been disabled. This can hinder visibility into who accessed the bucket and actions taken, potentially impacting security monitoring and compliance efforts. Impact Loss of Visibility: Disabling access logging obscures crucial information about bucket access, hindering incident response and forensic analysis. Compliance Risk: Lack of access logs might lead to non-compliance with regulatory requirements, as audit trails are compromised. Mitigation Enable Access Logging: Re-enable access logging to maintain visibility into bucket activity. Regular Audits: Perform routine checks to ensure access logging remains enabled and functional. Review Policies: Confirm bucket policies and permissions to prevent unauthorized changes.
Public Access Block Has Been Removed
The AWS alert indicates that the public access block on an Amazon S3 bucket has been removed. This change might expose the bucket and its contents to unauthorized access and potential security risks. Impact Unintended Access: Removal of the public access block could allow unauthorized users to access, modify, or delete bucket content. Data Exposure: Sensitive data stored in the bucket could be exposed to the public, leading to privacy breaches. Mitigation Reinstate Public Access Block: Reapply the public access block to restrict unauthorized access. Review Permissions: Audit bucket policies, IAM permissions, and other access controls to ensure proper configuration.
Bucket Policy Has Been Made Public
S3 is Amazon's storage service that can store and retrieve any amount of data at any time, from anywhere. the storage is private by default, any change in privacy settings should be viewed and examined for identifying unknown or unauthorized activity. Impact An open S3 bucket is one of the most popular misconfiguration in AWS that usually exposed confidential data to the world. Many attackers scan automatically for open S3 buckets so the time to compromise is relatively quick. Mitigation Remove public access to the bucket. Investigate if it was a misconfiguration or attacker activity.
Bucket Replication Has Been Created/Modified
This alert detects the creation of a replication configuration or the replacement of an existing one. Impact Bucket replication should be inspected and verified and it could be an adversary move to exfiltrate data. Mitigation Verify the the action was authorized and further investgitae if not.
Bucket CORS Has Been Created/Modified
This rule detects setting the CORS configuration for a bucket. Impact CORS (Cross-origin resource sharing) can allow access to your bucket from different locations. If performed by an attacker or misconfigured it could lead to data exposure and loss. Mitigation Verify the configuration change and make sure it was authorized. If not, further investigate the user performing the change and revert changes if needed.
Bucket ACL Has Been Configured
This rule detects setting the permissions on an existing bucket using access control lists. Impact Changes to ACLs should be inspected as it could allow or deny access to a bucket which can be malicious depending on the user performing the action and on the action taken. Mitigation Review the ACLs changes and decide if they are legitimate and authorized, investigate further if not.
Bucket Replication Has Been Deleted
This rule detects the deletion of the replication configuration from the bucket. Impact The removal of a replication policy can be an attacker move if he intends to delete the bucket data. Mitigation Verify the the removal of the policy was legitimate and revert and further investigate if not.
Bucket Policy Has Been Deleted
This rule detects the deletion of the policy of the specified bucket. Impact Depending on the policy deleted, this could have an adverse effect on the bucket data and should be reviewed. Mitigation Review the deleted policy and verify that the deletion was authorized, revert and further investigate if not
Bucket Lifecycle Has Been Deleted
This rule detects the deletion of the lifecycle configuration from the specified bucket. Impact Lifecycle policy can has different effects on a bucket as faster deletion of objects due to a short retention policy or filling up a bucket quota due to removal of a lifecycle policy. It is advise to verify that policy deleted was authorized and not a misconfiguration. Mitigation Review the removed policy and decide if it was legitimate, investigate further if not.
Bucket Has Been Configured As A Website
An S3 bucket was configured as a website. Impact An S3 bucket can be used as a simple internet-facing website, this action needs to be verified as it could be a misconfiguration or an attacker action to expose a bucket to the internet for C2 communication or data exfiltration. Mitigation Verify the the action was legitimate and authorized, revert changes and further investigate if not.
Bucket Lifecycle Policy Has Been Created/Modified
This alert checks for changes in bucket policy such as adding and modifying policies. Impact Monitoring changes to S3 bucket policies may reduce the time to detect and correct permissive policies on sensitive S3 buckets. Depending on the initiating user and his intentions, this could also be considered a malicious activity. Mitigation Review the changes made and decide if they are too permissive, verify with the user that the action was legitimate, and investigate further if needed. MITRE Tactic: TA0003 MITRE Technique: T1098
Bucket Versioning Disabled
This alert detects when the S3 bucket versioning is disabled. Bucket versioning is a means of keeping multiple variants of an object in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover easily from both unintended user actions and application failures. Impact A threat actor can disable versioning on an S3 bucket to prevent the bucket owner to restore the deleted data from the S3 bucket. Mitigation Check if the user is aware of this action and if it is legitimate. If not, revert the action and investigate further for any suspicious activities in the network. Mitre Tactic: TA0005 Mitre Technique: T1562
Bucket CORS Has Been Deleted
This rule detects deletion of the CORS configuration for a bucket. Impact CORS (Cross-origin resource sharing) can allow access to your bucket from different locations. If performed by an attacker or misconfigured it could lead to data exposure and loss. Mitigation Verify the configuration change and make sure it was authorized. If not, further investigate the user performing the change and revert changes if needed.
MFA Delete Feature Disabled
This rule monitors when the MFA delete feature has been disabled for an AWS S3 bucket.nMFA delete can help prevent accidental bucket deletions by requiring the user who initiates the delete action to prove physical possession of an MFA device with an MFA code. Adding an extra layer of friction and security to the delete action. Impact Disabling the MFA delete feature exposes the bucket and its content, This can lead to adverse reaction and expose the S3 buckets data to unauthorized or accidental deletion actions Mitigation Check why this feature has been disabled and if the change was authorized, revert the changes or investigate further if needed.
Bucket Policy Allows Users To Modify ACL
This alert indicates that the bucket policy of an Amazon S3 (Simple Storage Service) bucket allows users to modify the bucket ACL. Such a situation poses a significant security risk, as it can lead to unauthorized data manipulation, data loss, or breaches of confidentiality. Impact: Unauthorized content modification due to misconfigured S3 bucket policy risks data integrity, loss, and breaches. Mitigation: - Revise policies for proper access control. - Apply least privilege principle. - Enable versioning and robust monitoring. - Conduct regular security audits. - Provide security training and awareness.
Integration
Learn more about Coralogix's out-of-the-box integration with Amazon S3 in our documentation.