❗Before you're able to configure AWS S3 integration, you should follow the steps to set-up the overall AWS integration first. Please see our AWS guide here.
Introduction
Using the one connector to AWS gives you the flexibility to extend access to any of the products that sit within the AWS family. We have a number of off-the-shelf checks for AWS S3 and have listed the most common checks and permissions below. We also build configured and custom checks that are tailored to our clients - if you have a requirement that is not satisfied by the checks below, please reach out to your implementation lead!
AWS S3 Check Permissions
S3 buckets are encrypted
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Encryption",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"*"
]
}
]
}
S3 buckets are configured with block public access
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicAccessBlock",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketPublicAccessBlock"
],
"Resource": [
"*"
]
}
]
}
S3 buckets have access logging enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Logging",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketLogging"
],
"Resource": [
"*"
]
}
]
}
S3 buckets have MFA delete protection enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MFADelete",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketVersioning"
],
"Resource": [
"*"
]
}
]
}
S3 buckets require requests to use SSL
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireSSL",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketPolicy"
],
"Resource": [
"*"
]
}
]
}
S3 buckets have versioning enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Versioning",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketVersioning"
],
"Resource": [
"*"
]
}
]
}
S3 buckets have zone redundancy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Replication",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetReplicationConfiguration"
],
"Resource": [
"*"
]
}
]
}
S3 buckets have object lock enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ObjectLock",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketObjectLockConfiguration"
],
"Resource": [
"*"
]
}
]
}
Next Steps
Please let your implementation lead know once these permissions have been configured, and we will configure the evidence items to auto-generate in your workspace!