10 Essential S3 Bucket Security Audit – Free Cheat Sheet
Here is a quick list of actions that help you keep an eye on your S3 infrastructure.
Most of these audits can be automated with custom scripts you can be scheduled from monitoring servers or serverless functions.
* If you haven’t read our complete AWS S3 security guide: “How to Easily Secure and Audit AWS S3 Buckets?” we recommend you to do so right now.
|S3 Audit Action||How Often?||How to Perform this Audit?|
|Find if there are publicly accessible buckets||Every 3 hours||Iterate through all S3 buckets and check if any are publicly accessible. The process should send alerts through different channels like e-mail, PagerDuty, or Slack when publicly accessible buckets are detected.|
|Alert when new buckets are created, or existing buckets are deleted||Daily||This can be detected from CloudTrail logs|
|Alert when S3 objects are made public||Daily||Iterate through all bucket objects to find if any are public|
|Find bucket policies with non-existent, blocked or deleted IAM users||Daily||Parse through bucket policies to find IAM users in the same account which are blocked, deleted or non-existent|
|Alert when bucket policies are deleted||Every 3 hours||The event can be trapped from CloudTrail logs.|
|Find bucket policies with IAM users from other accounts||Daily||Parse through bucket policies of every bucket to find IAM users from different accounts. This can be compared against a “whitelist” of cross account IAM users. Any new user detected should send an alert.|
|Check if any KMS keys used for bucket or object encryption exist and when they are scheduled to rotate||Daily||Parse through bucket policies of every bucket to find KMS key IDs. Check AWS KMS for the existence of these keys and their properties|
|Find the list of users and administrators of any KMS key used for bucket or object encryption||Daily||Parse through bucket policies of every bucket to find KMS key IDs. Check AWS KMS for the existence of these keys and their users/administrators|
|Check if important buckets have versioning enabled||Daily||Parse bucket properties|
|Check S3 bucket costs||Monthly||Use AWS billing reports|
Effortlessly analyze, monitor and track your S3 buckets for security, health, performance, more.