En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Security hub showing Critical S3 Read - Bucket has no public access - but public Is blocked!

0

Good morning all, I am starting to lock down more of our account for obvious reasons, and as the subject states, security hub is showing a bunch of S3 buckets as Critical. The Title is "PCI.S3.2 S3 buckets should prohibit public read access" and "Updated at" an hour ago (all the security changes and such were done last week on Wednesday).

From the S3 console I see; Block all public access On

The Bucket Policy looks like this (only allowing CloudFront)

    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::xxxxxxxx:distribution/distributionID"
                }
            }
        }
    ]
}

I have this on all the buckets that were changed and updated last week, so not sure what step(s) to take next to have these removed.

Sujets
StockageSécurité, identité et conformité
Balises
Simple service de stockage AmazonSécurité, identité et conformitéHub de sécurité AWS
Langue
English
lraymond
demandé il y a 3 mois168 vues
2 réponses
0

Just a stab. Is there a typo in the ARN, missing the slash?

"Resource": "arn:aws:s3:::my-bucket*",

Should be:

"Resource": "arn:aws:s3:::my-bucket/*",
profile pictureAWS
EXPERT
kentrad
répondu il y a 3 mois
0

Thanks,

That full policy is actually a copy/paste when you lock it down in CloudFront. There is a simple button that says to copy the policy, and I did check and that is correct under resource;

            "Resource": "arn:aws:s3:::mybucket/*",

I may have messed up when I renamed to post, but good thought. I have 4 identical buckets, I marked 2 as resolved and they are no longer showing in the security hub listing, but the other 2 still show (and say last seen an hour ago), so I am wondering if I really just need to mark them (that would be terrible), but going to test that now.

Will advise

lraymond
répondu il y a 3 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents