07 - S3 Cross Account Access

 

Ensure your S3 buckets are only allowing access to other accounts within your organization

Ensure that your S3 buckets that allow access from other accounts, only allow traffic from accounts within your organization that you trust. This is considered a security best practice and should always enabled on every bucket. Ensuring this is enabled will help with NIST,PCI-DSS, HIPPA and GDPR compliance.

Audit & Remediation

 

 

  • Select the Name hyperlink for the S3 bucket you would like to check.
  • Under Permissions select Bucket Policy.

 

 

  • If there is a policy defined, validate if you see account numbers specified as a principle:
                    
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::012345678911:root",
                    "arn:aws:iam::012345678999:root"
                ]
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket-logging/*",
        }
    ]
}
  • Remove any accounts that are not a part of your organization or a trusted account. Example: arn:aws:iam::012345678999:root
  • Press the save button to save the policy.
  • Repeat the outlined steps for each S3 bucket that you have.
See all of your AWS S3 Buckets in a single place!

Do you want to see all S3 Buckets in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.
demo.intelligentdiscovery.io

 

Other Key Features

Inventory

Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.

learn more +

Contact us

LDAPTIVE, LLC.
Mount Pleasant, SC
USA
Email: info@ldaptive.com
Intelligent Discovery ™

LDAPTIVE, LLC 2018 © All Rights Reserved. Privacy Policy | Terms of Service