AWS IAM Permissions Guardrails

AWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/

View project on GitHub

Amazon Simple Storage Service (S3)

Identifier Guardrail Rationale Remediation References Policy IAM Actions
IAM-S3-1 Check that the S3 VPC Endpoint Policy is scoped appropriately. A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you do not attach a policy when you create an endpoint, a default policy will be attached for you that allows full access to the service. The VPC Endpoint policy is an opportunity for you to block any unauthorized access. Consider specifying only authorized permissions. Also, consider utilizing condition keys to further scope authorized access. Scope the VPC Endpoint Policy, for example use the condition key use the condition key such as aws:PrincipalOrgID. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid

 VPC Endpoint Policy  
IAM-S3-2 Check that the ability to get sensitive or classified information in S3 Objects is for authorized principals only. Access to sensitive data must only be access to authorized principals. Unauthorized principals that are able to get S3 Objects would be able to read sensitive data and violate security policy. Options include Complete removal of unauthorized principals from s3:GetObject. Scoping using condition keys to contain principal access to authorized S3 objects only. Encrypt at rest the S3 objects using a customer managed AWS CMKs to provide defense in depth. If the key policy prevents the unauthorized principal fro decrypting the data, then the unauthorized principal will not be able to decrypt the data, even if there were able to download the S3 object. https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-GetObject

 nan s3:GetObject
IAM-S3-3 Check that frequently accessed data is stored in the appropriate S3 storage class. S3 provides varying storage classes that trade off retrieval time and cost. Glacier incurs a first byte delay on the order of minutes or hours. S3 One Zone-IA has reduced availability zones. It’s important that sensitive data is stored according to the desired availability and retrieval requirements. Specify the storage class condition key ‘s3:x-amz-storage-class’ on PutObject to specify the authorized storage classes for specific S3 Buckets. https://aws.amazon.com/s3/storage-classes/

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-s3_x-amz-storage-class https://answers.amazon.com/questions/88994

 nan  
IAM-S3-4 Check that the management of your S3 buckets and objects is for authorized principals only. It is important that access control to the management of your S3 buckets and principals is only performed by your authorized principals. Protect against unauthorized modifications or changes to your sensitive data in your S3 buckets by limiting access to only your administrative principals.   https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-GetObject

 nan s3:AbortMultipartUpload
s3:BypassGovernanceRetention
s3:CreateAccessPoint
s3:CreateBucket
s3:CreateJob
s3:DeleteAccessPoint
s3:DeleteAccessPointPolicy
s3:DeleteBucket
s3:DeleteBucketPolicy
s3:DeleteBucketWebsite
s3:DeleteObject
s3:DeleteObjectTagging
s3:DeleteObjectVersion
s3:DeleteObjectVersionTagging
s3:ObjectOwnerOverrideToBucketOwner
s3:PutAccelerateConfiguration
s3:PutAccessPointPolicy
s3:PutAccountPublicAccessBlock
s3:PutAnalyticsConfiguration
s3:PutBucketAcl
s3:PutBucketCORS
s3:PutBucketLogging
s3:PutBucketNotification
s3:PutBucketObjectLockConfiguration
s3:PutBucketPolicy
s3:PutBucketPublicAccessBlock
s3:PutBucketRequestPayment
s3:PutBucketTagging
s3:PutBucketVersioning
s3:PutBucketWebsite
s3:PutEncryptionConfiguration
s3:PutInventoryConfiguration
s3:PutLifecycleConfiguration
s3:PutMetricsConfiguration
s3:PutObject
s3:PutObjectAcl
s3:PutObjectLegalHold
s3:PutObjectRetention
s3:PutObjectTagging
s3:PutObjectVersionAcl
s3:PutObjectVersionTagging
s3:PutReplicationConfiguration
s3:ReplicateDelete
s3:ReplicateObject
s3:ReplicateTags
s3:RestoreObject
s3:UpdateJobPriority
s3:UpdateJobStatus