Benchmark: S3
Description
This section contains recommendations for configuring S3 resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select S3.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_s3
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_s3 --share
Controls
- S3 access points should have block public access settings enabled
- S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 buckets should enforce SSL
- S3 buckets should have event notifications enabled
- S3 buckets should have lifecycle policies configured
- S3 bucket logging should be enabled
- Ensure MFA Delete is enabled on S3 buckets
- S3 bucket ACLs should not be accessible to all authenticated user
- S3 bucket object lock should be enabled
- S3 buckets object logging should be enabled
- S3 bucket policy should prohibit public access
- AWS S3 permissions granted to other AWS accounts in bucket policies should be restricted
- Ensure all data in AWS S3 has been discovered, classified and secured when required
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 buckets static website hosting should be disabled
- S3 buckets with versioning enabled should have lifecycle policies configured
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- S3 public access should be blocked at account and bucket levels