Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Security hub showing Critical S3 Read - Bucket has no public access - but public Is blocked!

0

Good morning all, I am starting to lock down more of our account for obvious reasons, and as the subject states, security hub is showing a bunch of S3 buckets as Critical. The Title is "PCI.S3.2 S3 buckets should prohibit public read access" and "Updated at" an hour ago (all the security changes and such were done last week on Wednesday).

From the S3 console I see; Block all public access On

The Bucket Policy looks like this (only allowing CloudFront)

    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::xxxxxxxx:distribution/distributionID"
                }
            }
        }
    ]
}

I have this on all the buckets that were changed and updated last week, so not sure what step(s) to take next to have these removed.

Themen
SpeicherSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceSicherheit, Identität & KonformitätAWS Sicherheits-Hub
Sprache
English
lraymond
gefragt vor 3 Monaten167 Aufrufe
2 Antworten
0

Just a stab. Is there a typo in the ARN, missing the slash?

"Resource": "arn:aws:s3:::my-bucket*",

Should be:

"Resource": "arn:aws:s3:::my-bucket/*",
profile pictureAWS
EXPERTE
kentrad
beantwortet vor 3 Monaten
0

Thanks,

That full policy is actually a copy/paste when you lock it down in CloudFront. There is a simple button that says to copy the policy, and I did check and that is correct under resource;

            "Resource": "arn:aws:s3:::mybucket/*",

I may have messed up when I renamed to post, but good thought. I have 4 identical buckets, I marked 2 as resolved and they are no longer showing in the security hub listing, but the other 2 still show (and say last seen an hour ago), so I am wondering if I really just need to mark them (that would be terrible), but going to test that now.

Will advise

lraymond
beantwortet vor 3 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt