IAM-S3-AP-1 |
Check that the VPC mentioned in the S3-AccessEndpoint is valid VPC |
The Access Point cannot be edited once it has been created. If it has been created incorrectly, the only method is to delete the access point and create a new access point. |
Check the VPC value provided in the API call payload for creating access point is a valid VPC in the account specified. |
https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
|
s3:CreateAccessPoint
|
IAM-S3-AP-2 |
Block Public access to buckets and objects through access points |
The block public access setting of the Access point should not be open to public unless really justified by customer requirements. |
Check PublicAccessBlockConfiguration setting of access point is set to not allow public access. |
|
s3:CreateAccessPoint
|
IAM-S3-AP-3 |
Allow s3:GetObject and s3:PutObject on the S3 Access Points owned by the account. |
If a user has IAM policies or bucket policies which allow authorized users to interact with the bucket’s objects through access point, the s3:DataAccessPointAccount condition should be added to ensure only access points owned by the buckets are allowed to perform s3:GetObject and s3:PutObjects |
Add s3:DataAccessPointAccount condition to the bucket policy to deny all GetObject and PutObject actions to S3 Access point’s owner account |
https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html#access-points-policies
|
s3:DataAccessPointAccount
|
IAM-S3-AP-4 |
Limit access to the S3 bucket only through a specific S3 Access Point for the bucket |
Buckets which have specific access points enabled and do not have access pattern outside of access points. These buckets should have bucket policies which allow GetObject and PubObject only through the approved S3 Access Endpoints |
Add s3:DataAccessPointAccount condition to the bucket policy to deny all GetObject and PutObject actions to S3 Access point’s owner account |
https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html#access-points-policies
|
s3:DataAccessPointAccount
|
IAM-S3-AP-5 |
Limit access to the S3 bucket only to traffic originated from VPC and coming through S3 Access Points |
Buckets which have S3 access points enabled should have bucket policy which limits access to them only through traffic originating from Amazon VPCs. This additional control prevents misconfiguration of bucket access pattern. |
Add s3:AccessPointNetworkOrigin condition with VPC value to the bucket policy to deny all GetObject and PutObject actions to S3 Access point’s owner account |
https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html#access-points-policies
|
s3:AccessPointNetworkOrigin
|
IAM-S3-AP-6 |
Limit access to S3 bucket objects by restricting principals which have a common tag as the object |
Buckets which have S3 access points enabled should have S3 access point policy enabled which allows IAM principals to make call to the objects which are tagged with a particular value |
Add s3:ExistingObjectTag condition in the S3 Access Endpoint policy which has allows certain principals with the similar tags to get access to the objects |
https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html#access-points-policies
|
s3:GetObject
|