Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

Data is a vital resource for organizations, and users continually seek straightforward methods to safeguard their information from unauthorized access. While there are scenarios where data must be public, the majority of enterprise applications and data privacy hinge on meticulously managed permissions, requiring no public access.

Organizations utilize Amazon S3 object storage for various applications, including cloud services, dynamic websites, content distribution, mobile apps, and gaming platforms. As Amazon S3 evolves into a central datastore for these entities, ensuring data remains private unless public visibility is absolutely necessary becomes paramount. By default, new S3 buckets come with S3 Block Public Access enabled at the bucket level, access control lists (ACLs) turned off, and all new objects encrypted. To guarantee that public access to S3 buckets and objects is restricted, you can enable S3 Block Public Access at the account level. These default features establish strong security measures; however, unintentional actions, users with excessive permissions, or even malicious behavior can lead to S3 buckets being created with S3 Block Public Access turned off or existing buckets losing this setting unexpectedly.

In this article, we present a proactive, event-driven approach that identifies public S3 buckets using AWS Security Hub and subsequently enables S3 Block Public Access at the bucket level. In instances where public access is warranted, we recommend tagging those S3 buckets (for example, tag_key = “bucket.status” & tag_value = “public.bucket”). This solution is built on an event-driven architecture that is cost-effective and easy to implement, helping to enhance the security stance and operational reliability of organizations by ensuring that private buckets remain confidential.

Solution Overview

The following diagram outlines the various components of this event-driven design.

At a high level, the solution operates as follows:

  1. AWS Security Hub assesses the compliance and security of S3 buckets.
  2. Findings are forwarded to Amazon EventBridge.
  3. EventBridge triggers two actions:
    1. An AWS Lambda function that incorporates logic to restrict public access to S3 buckets based on specific resource tags.
    2. An Amazon CloudWatch log group activates a CloudWatch alarm, which then sends a notification to an Amazon SNS topic.
  4. The SNS topic generates an email notification informing that a public S3 bucket has been identified.

This solution employs the ‘GetBucketTagging‘ API operation to retrieve the tag set associated with an S3 bucket. The Lambda function discussed in this post iterates through the tag key-value pairs to check for a specific tag key-value pair (e.g., tag_key = “bucket.status” & tag_value = “public.bucket”). If the required tag is present, the function does not enable S3 Block Public Access on those buckets. Conversely, if the S3 bucket lacks the necessary tags, this solution will enable S3 Block Public Access on those buckets. Unless you intend for your S3 buckets to be publicly accessible, enabling S3 Block Public Access is essential.

Prerequisites

To begin this walkthrough, ensure you have the following:

  • An AWS account
  • An S3 bucket
  • An AWS Lambda execution IAM role
  • An S3 bucket policy that permits the Lambda function to modify S3 Block Public Access settings

Walkthrough

The next sections will guide you through the solution:

  1. Configuring Security Hub
  2. Setting up the AWS Lambda function
  3. Configuring the EventBridge rule with targets
  4. Establishing CloudWatch metrics and alarms

1) Configuring Security Hub

In a previous article, “Find public Amazon S3 buckets in your AWS account,” we explored the various AWS services designed to detect public S3 buckets across multiple AWS Regions. One key service is Security Hub, a cloud security posture management (CSPM) tool that conducts security best practice evaluations, compiles alerts, and enables automated remediation.

You can use Security Hub to keep an eye on public S3 buckets by leveraging the controls from the AWS Foundational Security Best Practices (FSBP) standard. Security Hub utilizes service-linked AWS Config rules to perform security checks for the majority of controls. To start, follow these steps:

  1. Enable AWS Config across all accounts in each AWS Region.
  2. Activate Security Hub by integrating with AWS Organizations or manually.
  3. Enable the AWS FSBP standard in Security Hub.

For this article, we are utilizing the FSBP security control S3.8 which states that general-purpose S3 buckets should block public access. This control verifies whether an S3 general-purpose bucket effectively blocks public access at the bucket level. Below is a Security Hub finding indicating a public S3 bucket.

Security Hub automatically sends new findings and updates to existing findings to EventBridge as Security Hub Findings – Imported events. Consequently, every time Security Hub detects a public S3 bucket during continuous monitoring, an event is dispatched to EventBridge.

2) Setting Up AWS Lambda Function

Lambda is a serverless compute service that allows you to run code without needing to provision a server. In this scenario, an EventBridge event triggers a Lambda function (“BlockPublicS3Bucket”) to restrict public access to the S3 bucket. This function performs the following tasks:

  1. Identifies the S3 bucket name using a JSONPath expression.
  2. Iterates through the S3 bucket tags to check for a specific tag key-value pair. The following is the sample tag key-value pair used for this post:
    • bucket_tag_key = “bucket.status”
    • bucket_tag_value = “public.bucket”
  3. If the tag is absent, the function proceeds to block the public access configuration for the bucket using the put_public_access_block API call.
  4. If the tag is present, the function bypasses the public access block and logs a message.

This method ensures that public access is only restricted if the specified tag is not present on the S3 bucket. The following are prerequisites for the Lambda function:

  • A Lambda execution IAM role that grants permission to access AWS services and resources.
  • An S3 bucket policy that allows the Lambda function to update the S3 Block Public Access settings. Here’s an example policy:
{
    "Version": "2012-10-17",
    "Id": "BlockPublicAccess",
    "Statement": [
        {
            "Sid": "LambdaAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/service-role/BlockPublicS3Bucket-role-123"
            },
            "Action": [
                "s3:GetBucketTagging", 
                "s3:PutBucketPublicAccessBlock"
            ],
            "Resource": "arn:aws:s3:::my-bucket"
        }
    ]
}

You can find the Lambda function in this AWS sample.

3) Configuring EventBridge Rule with Targets

EventBridge is a serverless service that facilitates the development of scalable event-driven applications. With EventBridge, you can monitor and audit your AWS environments, responding to operational changes in your applications in near real-time to prevent infrastructure vulnerabilities. An EventBridge rule observes specific event types, making it essential for maintaining a secure environment.

By ensuring that public access is managed effectively, organizations can protect their data assets. For further insights on data protection, refer to this excellent resource on Amazon’s fulfillment center safety and training. If you’re interested in Agile methodologies, consider reading more about the agile journey at SHRM. Lastly, for discussions surrounding ageism in the workplace, check out this relevant blog post.

Related Topics:

Chanci Turner