AWS prescriptive-guidance documentation change
Summary
Updated documentation to standardize terminology (e.g., 'S3' to 'Amazon S3'), restructured prerequisites section, clarified cross-Region aggregation note, and adjusted event handling steps. No functional changes to the security pattern itself.
Security assessment
The changes are editorial improvements to existing security documentation about monitoring public S3 buckets. While the topic is security-related, there is no evidence of addressing a specific vulnerability or incident. The updates enhance clarity but do not introduce new security controls or address newly discovered risks.
Diff
diff --git a/prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.md b/prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.md index d935ce857..dc0a3fe06 100644 --- a//prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.md +++ b//prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.md @@ -7 +7 @@ SummaryPrerequisites and limitationsArchitectureToolsEpicsTroubleshootingRelated -# Identify public S3 buckets in AWS Organizations using Security Hub +# Identify public Amazon S3 buckets in AWS Organizations by using Security Hub @@ -13 +13 @@ SummaryPrerequisites and limitationsArchitectureToolsEpicsTroubleshootingRelated -This pattern shows you how to build a mechanism for identifying public Amazon Simple Storage Service (Amazon S3) buckets in your AWS Organizations accounts. The mechanism works by using controls from the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) in AWS Security Hub to monitor S3 buckets. You can use Amazon EventBridge to process Security Hub [findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html), and then post these findings to an Amazon Simple Notification Service (Amazon SNS) topic. Stakeholders in your organization can subscribe to the topic and get immediate email notifications about the findings. +This pattern shows you how to build a mechanism for identifying public Amazon Simple Storage Service (Amazon S3) buckets in your AWS Organizations accounts. The mechanism works by using controls from the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) in AWS Security Hub to monitor Amazon S3 buckets. You can use Amazon EventBridge to process Security Hub [findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html), and then post these findings to an Amazon Simple Notification Service (Amazon SNS) topic. Stakeholders in your organization can subscribe to the topic and get immediate email notifications about the findings. @@ -15 +15 @@ This pattern shows you how to build a mechanism for identifying public Amazon Si -New S3 buckets and their objects don't allow public access by default. You can use this pattern in scenarios where you must modify default Amazon S3 configurations based on your organization's requirements. For example, this could be a scenario where you have an S3 bucket that hosts a public-facing website or files that everyone on the internet must be able to read from your S3 bucket. +New Amazon S3 buckets and their objects don't allow public access by default. You can use this pattern in scenarios where you must modify default Amazon S3 configurations based on your organization's requirements. For example, this could be a scenario where you have an Amazon S3 bucket that hosts a public-facing website or files that everyone on the internet must be able to read from your Amazon S3 bucket. @@ -17 +17 @@ New S3 buckets and their objects don't allow public access by default. You can u -Security Hub is often deployed as a central service to consolidate all security findings, including those related to security standards and compliance requirements. There are other AWS services that you can use to detect public S3 buckets, but this pattern uses an existing Security Hub deployment with minimal configuration. +Security Hub is often deployed as a central service to consolidate all security findings, including those related to security standards and compliance requirements. There are other AWS services that you can use to detect public Amazon S3 buckets, but this pattern uses an existing Security Hub deployment with minimal configuration. @@ -25 +25 @@ Security Hub is often deployed as a central service to consolidate all security - * ###### Note + * Security Hub and AWS Config, enabled in the AWS Region that you want to monitor @@ -27,14 +27 @@ Security Hub is often deployed as a central service to consolidate all security -Security Hub and AWS Config, enabled in the AWS Region that you want to monitor (: You must enable [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html) in Security Hub if you want to monitor multiple Regions from a single aggregation Region.) - - * User permissions for accessing and updating the Security Hub administrator account, read access to all the S3 buckets in the organization, and permissions for turning off public access (if required) - - - - -## Architecture - -**Technology stack** - - * AWS Security Hub - - * Amazon EventBridge +###### Note @@ -42 +29 @@ Security Hub and AWS Config, enabled in the AWS Region that you want to monitor - * Amazon Simple Notification Service (Amazon SNS) +You must enable [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html) in Security Hub if you want to monitor multiple Regions from a single aggregation Region. @@ -44 +31 @@ Security Hub and AWS Config, enabled in the AWS Region that you want to monitor - * Amazon Simple Storage Service (Amazon S3) + * User permissions for accessing and updating the Security Hub administrator account, read access to all the Amazon S3 buckets in the organization, and permissions for turning off public access (if required) @@ -49 +36 @@ Security Hub and AWS Config, enabled in the AWS Region that you want to monitor -**Target architecture** +## Architecture @@ -51 +38 @@ Security Hub and AWS Config, enabled in the AWS Region that you want to monitor -The following diagram shows an architecture for using Security Hub to identify public S3 buckets. +The following diagram shows an architecture for using Security Hub to identify public Amazon S3 buckets. @@ -57 +44 @@ The diagram show the following workflow: - 1. Security Hub monitors the configuration of S3 buckets in all AWS Organizations accounts (including the administrator account) by using the S3.2 and S3.3 controls from the FSBP security standard, and detects a finding if a bucket is configured as public. + 1. Security Hub monitors the configuration of Amazon S3 buckets in all AWS Organizations accounts (including the administrator account) by using the S3.2 and S3.3 controls from the FSBP security standard, and detects a finding if a bucket is configured as public. @@ -65 +52 @@ The diagram show the following workflow: - 5. Rules use the event patterns to identify events and send them to an SNS topic once matched. + 5. Rules use the event patterns to identify events and send them to an Amazon SNS topic once matched. @@ -67 +54 @@ The diagram show the following workflow: - 6. An SNS topic sends the events to its subscribers (through email, for example). + 6. An Amazon SNS topic sends the events to its subscribers (through email, for example). @@ -69 +56 @@ The diagram show the following workflow: - 7. Security analysts designated to receive the email notifications review the S3 bucket in question. + 7. Security analysts designated to receive the email notifications review the Amazon S3 bucket in question. @@ -71 +58 @@ The diagram show the following workflow: - 8. If the bucket is approved for public access, the security analyst sets the workflow status of the corresponding finding in Security Hub to `SUPPRESSED`. Otherwise, the analyst sets the status to `NOTIFIED`. This eliminates future notifications for the S3 bucket and reduces notification noise. + 8. If the bucket is approved for public access, the security analyst sets the workflow status of the corresponding finding in Security Hub to `SUPPRESSED`. Otherwise, the analyst sets the status to `NOTIFIED`. This eliminates future notifications for the Amazon S3 bucket and reduces notification noise. @@ -84,3 +71 @@ The architecture diagram applies to both single Region and cross-Region aggregat -**AWS tools** - - * [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, software as a service (SaaS) applications, and AWS services. EventBridge routes that data to targets such as SNS topics and AWS Lambda functions if the data matches user-defined rules. + * [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, software as a service (SaaS) applications, and AWS services. EventBridge routes that data to targets such as Amazon SNS topics and AWS Lambda functions if the data matches user-defined rules. @@ -101,2 +86,2 @@ Task| Description| Skills required -Enable Security Hub in AWS Organizations accounts.| To enable Security Hub in the organization accounts where you want to monitor S3 buckets, see the guidelines from [Designating a Security Hub administrator account (console)](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#:~:text=AWSSecurityHubOrganizationsAccess-,Designating%20a%20Security%20Hub%20administrator%20account%20\(console\),-The%20organization%20management) and [Managing member accounts that belong to an organization](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html) in the AWS Security Hub User Guide.| AWS administrator -(Optional) Enable cross-Region aggregation.| If you want to monitor S3 buckets in multiple Regions from a single Region, set up [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html).| AWS administrator +Enable Security Hub in AWS Organizations accounts.| To enable Security Hub in the organization accounts where you want to monitor Amazon S3 buckets, see the guidelines from [Designating a Security Hub administrator account (console)](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#:~:text=AWSSecurityHubOrganizationsAccess-,Designating%20a%20Security%20Hub%20administrator%20account%20\(console\),-The%20organization%20management) and [Managing member accounts that belong to an organization](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html) in the Security Hub documentation.| AWS administrator +(Optional) Enable cross-Region aggregation.| If you want to monitor Amazon S3 buckets in multiple Regions from a single Region, set up [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html).| AWS administrator @@ -105,2 +90,2 @@ Enable the S3.2 and S3.3 controls for the FSBP security standard.| You must enab - 1. To enable S3.2 controls, follow the instructions from [[S3.2] S3 buckets should prohibit public read access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-2) in the AWS Security Hub User Guide. - 2. To enable S3.3 controls, follow the instructions from [[3] S3 buckets should prohibit public write access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-3) in the AWS Security Hub User Guide. + 1. To enable S3.2 controls, follow the instructions from [[S3.2] S3 buckets should prohibit public read access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-2) in the Security Hub documentation. + 2. To enable S3.3 controls, follow the instructions from [[3] S3 buckets should prohibit public write access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-3) in the Security Hub documentation. @@ -112 +97 @@ Task| Description| Skills required -Configure the SNS topic and email subscription.| +Configure the Amazon SNS topic and email subscription.| @@ -155,4 +137,2 @@ Configure the EventBridge rule.| -Then, do the following: - - 1. On the **Select target(s)** page, for **Select a target** , select **SNS topic** as the target, and then select the topic that you created earlier. - 2. Choose **Next** , choose **Next** again, and then choose **Create rule**. + 6. On the **Select target(s)** page, for **Select a target** , select **SNS topic** as the target, and then select the topic that you created earlier. + 7. Choose **Next** , choose **Next** again, and then choose **Create rule**. @@ -166 +146 @@ Issue| Solution -I have an S3 bucket with public access enabled, but I'm not getting email notifications for it.| This could be because the bucket was created in another Region and cross-Region aggregation is not enabled in the Security Hub administrator account. To resolve this issue, enable cross-Region aggregation or implement this pattern's solution in the Region where your S3 bucket currently resides. +I have an Amazon S3 bucket with public access enabled, but I'm not getting email notifications for it.| This could be because the bucket was created in another Region and cross-Region aggregation is not enabled in the Security Hub administrator account. To resolve this issue, enable cross-Region aggregation or implement this pattern's solution in the Region where your Amazon S3 bucket currently resides. @@ -183 +163 @@ I have an S3 bucket with public access enabled, but I'm not getting email notifi - _Workflow for monitoring public S3 buckets_ + _Workflow for monitoring public Amazon S3 buckets_ @@ -185 +165 @@ I have an S3 bucket with public access enabled, but I'm not getting email notifi -The following workflow illustrates how you can monitor the public S3 buckets in your organization. The workflow assumes that you completed the steps in the _Configure the SNS topic and email subscription_ story of this pattern _._ +The following workflow illustrates how you can monitor the public Amazon S3 buckets in your organization. The workflow assumes that you completed the steps in the _Configure the Amazon SNS topic and email subscription_ story of this pattern _._ @@ -187 +167 @@ The following workflow illustrates how you can monitor the public S3 buckets in - 1. You receive an email notification when an S3 bucket is configured with public access. + 1. You receive an email notification when an Amazon S3 bucket is configured with public access.