AWS elasticloadbalancing high security documentation change
Summary
Updated S3 bucket policy guidance with enhanced security recommendations including precise ARNs, source ARN/OrgID conditions, and NotPrincipal usage
Security assessment
The changes explicitly address security hardening by requiring specific resource ARNs instead of wildcards, adding source validation conditions, and correcting NotPrincipal configurations. These changes prevent potential bucket policy misconfigurations that could allow unauthorized access to access logs.
Diff
diff --git a/elasticloadbalancing/latest/application/enable-access-logging.md b/elasticloadbalancing/latest/application/enable-access-logging.md index 33cccf7dd..a167becb1 100644 --- a//elasticloadbalancing/latest/application/enable-access-logging.md +++ b//elasticloadbalancing/latest/application/enable-access-logging.md @@ -66,12 +66 @@ If you're using an existing bucket that already has an attached policy, you can -The bucket policy that you'll use depends on the AWS Region and the type of zone. Each expandable section below contains a bucket policy and information about when to use that policy. - -###### Enhance security by using precise S3 bucket ARNs. - - * Use the full resource path, not just the S3 bucket ARN. - - * Include the account ID portion of the S3 bucket ARN. - - * Don't use wildcards (*) in the account ID portion of the S3 bucket ARN. - - - +The bucket policy that you'll use depends on the AWS Region and the type of zone. Each expandable section below contains a basic bucket policy and a description of the policy. To enhance security, see the suggestions below the collapsible sections. @@ -137,15 +125,0 @@ The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in -###### Using NotPrincipal when Effect is Deny - -If the Amazon S3 bucket policy uses `Effect` with the value `Deny` and includes `NotPrincipal` as shown in the example below, ensure that `logdelivery.elasticloadbalancing.amazonaws.com` is included in the `Service` list. - - - { - "Effect": "Deny", - "NotPrincipal": { - "Service": [ - "logdelivery.elasticloadbalancing.amazonaws.com", - "example.com" - ] - } - }, - @@ -236,15 +209,0 @@ The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in -###### Using NotPrincipal when Effect is Deny - -If the Amazon S3 bucket policy uses `Effect` with the value `Deny` and includes `NotPrincipal` as shown in the example below, ensure that `logdelivery.elasticloadbalancing.amazonaws.com` is included in the `Service` list. - - - { - "Effect": "Deny", - "NotPrincipal": { - "Service": [ - "logdelivery.elasticloadbalancing.amazonaws.com", - "example.com" - ] - } - }, - @@ -295,15 +253,0 @@ The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in -###### Using NotPrincipal when Effect is Deny - -If the Amazon S3 bucket policy uses `Effect` with the value `Deny` and includes `NotPrincipal` as shown in the example below, ensure that `logdelivery.elasticloadbalancing.amazonaws.com` is included in the `Service` list. - - - { - "Effect": "Deny", - "NotPrincipal": { - "Service": [ - "logdelivery.elasticloadbalancing.amazonaws.com", - "example.com" - ] - } - }, - @@ -345 +289,7 @@ The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in -###### Using NotPrincipal when Effect is Deny +###### Enhance security + +Use the following suggestions to enhance the security of your S3 bucket. + +###### Review your bucket policy + + * Use the full resource path, including the account ID portion of the S3 bucket ARN. Don't use wildcards (*) in the account ID portion of the S3 bucket ARN. @@ -347 +297,20 @@ The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in -If the Amazon S3 bucket policy uses `Effect` with the value `Deny` and includes `NotPrincipal` as shown in the example below, ensure that `logdelivery.elasticloadbalancing.amazonaws.com` is included in the `Service` list. + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*" + + * Use `aws:SourceArn` to ensure that only load balancers from the specified Region and account can use your bucket. + + "Condition": { + "ArnLike": { + "aws:SourceArn": "arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/*" + } + } + + * Use `aws:SourceOrgId` with `aws:SourceArn` to ensure that only load balancers from the specified organization can use your bucket. + + "Condition": { + "StringEquals": { + "aws:SourceOrgId": "o-1234567890" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*" + } + } @@ -348,0 +318 @@ If the Amazon S3 bucket policy uses `Effect` with the value `Deny` and includes + * If your Amazon S3 bucket policy `Effect` with the value `Deny` and includes `NotPrincipal` as shown in the example below, ensure that `logdelivery.elasticloadbalancing.amazonaws.com` is included in the `Service` list.