Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Security hub showing Critical S3 Read - Bucket has no public access - but public Is blocked!

0

Good morning all, I am starting to lock down more of our account for obvious reasons, and as the subject states, security hub is showing a bunch of S3 buckets as Critical. The Title is "PCI.S3.2 S3 buckets should prohibit public read access" and "Updated at" an hour ago (all the security changes and such were done last week on Wednesday).

From the S3 console I see; Block all public access On

The Bucket Policy looks like this (only allowing CloudFront)

    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::xxxxxxxx:distribution/distributionID"
                }
            }
        }
    ]
}

I have this on all the buckets that were changed and updated last week, so not sure what step(s) to take next to have these removed.

Tópicos
ArmazenamentoSegurança, identidade e conformidade
Tags
Serviço de armazenamento simples da AmazonSegurança, identidade e conformidadeHub de segurança da AWS
Idioma
English
lraymond
feita há 3 meses166 visualizações
2 Respostas
0

Just a stab. Is there a typo in the ARN, missing the slash?

"Resource": "arn:aws:s3:::my-bucket*",

Should be:

"Resource": "arn:aws:s3:::my-bucket/*",
profile pictureAWS
ESPECIALISTA
kentrad
respondido há 3 meses
0

Thanks,

That full policy is actually a copy/paste when you lock it down in CloudFront. There is a simple button that says to copy the policy, and I did check and that is correct under resource;

            "Resource": "arn:aws:s3:::mybucket/*",

I may have messed up when I renamed to post, but good thought. I have 4 identical buckets, I marked 2 as resolved and they are no longer showing in the security hub listing, but the other 2 still show (and say last seen an hour ago), so I am wondering if I really just need to mark them (that would be terrible), but going to test that now.

Will advise

lraymond
respondido há 3 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante