forked from aws-samples/custom-lens-wa-hub
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Amazon_S3_Lens.json
2570 lines (2569 loc) · 204 KB
/
Amazon_S3_Lens.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"schemaVersion": "2021-11-01",
"name": "Amazon S3 Well-Architected Lens",
"description": "Best practices for configuring Amazon S3",
"_version": "v3.1.0",
"_note": "Append new info with 2023 re:invent update. 2023-Dec-21",
"pillars": [
{
"id": "operationalExcellence",
"name": "Operational Excellence",
"questions": [
{
"id": "OPS_1",
"title": "How do you track ownership of data stored in S3, and how that data is used?",
"description": "A clear understanding of the purpose of data informs many other operational processes. The foundation of understanding that purpose is establishing a logical owner, such as a team, who can answer questions and/or make decisions when necessary.",
"choices": [
{
"id": "OPS_1_1",
"title": "Buckets and/or AWS accounts are required to be tagged",
"helpfulResource": {
"displayText": "Tagging can be used to ensure each resource clearly describes what team and workload owns it. This allows for costs to be allocated, for questions about best practices to be followed up on, and for configuration changes to be reviewed.\n\nA tagging strategy should be used for an organization. While the exact details will differ from organization to organization, and some workloads will add additional detail, it is important that consistency around a core set of tags is maintained for the organization.\n\nS3 also supports object tags and object level user metadata, which could store ownership information, but some features such as Cost Allocation Tags only support bucket level tags, and tagging every object adds cost to many use cases, so bucket tags are valuable.",
"url": "https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/defining-needs-and-use-cases.html"
},
"improvementPlan": {
"displayText": "Tagging can be an effective scaling mechanism for implementing cloud management and governance strategies",
"url": "https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/defining-needs-and-use-cases.html"
}
},
{
"id": "OPS_1_2",
"title": "Cost Allocation Tags are enabled for relevant tag keys used to tag buckets",
"helpfulResource": {
"displayText": "Bucket tags can be used in Cost Explorer or Cost and Usage Reports to group costs and visualize usage. But to be used in this way, the tag keys you want to use in this way must be enabled.",
"url": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html"
},
"improvementPlan": {
"displayText": "Tag buckets to helps manage and allocate costs",
"url": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html"
}
},
{
"id": "OPS_1_3",
"title": "Using Amazon Macie to automate the discovery of sensitive data",
"helpfulResource": {
"displayText": "Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching.\n\nMacie automates discovery and reporting of sensitive data to provide you with a better understanding of the data that your organization stores in Amazon S3.",
"url": "https://docs.aws.amazon.com/macie/latest/user/discovery-asdd.html"
},
"improvementPlan": {
"displayText": "Classify and secure sensitive data with Macie",
"url": "https://docs.aws.amazon.com/macie/latest/user/discovery-asdd.html"
}
},
{
"id": "OPS_1_4",
"title": "Within buckets, use prefixes to group common data",
"helpfulResource": {
"displayText": "The first strategy to categorizing that data within a bucket is a pattern for key names that utilizes common prefixes, and hierarchies. ListObjects, Storage Lens and other features can make use of prefix patterns to locate objects with common patterns.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html"
},
"improvementPlan": {
"displayText": "Organizing objects using prefixes",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html"
}
},
{
"id": "OPS_1_5",
"title": "Using prefix level metrics in S3 Storage Lens",
"helpfulResource": {
"displayText": "If you need a deeper level of understanding the breakdown of data in a bucket, S3 Storage Lens' advanced metrics provides prefix level metrics.\n\nNote that enabling advanced metrics for S3 Storage Lens incurs additional per-object recurring costs. If you have a large number of objects, you can estimate the costs before enabling and consider short term enablement as needed.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-cloudwatch-metrics-dimensions.html"
},
"improvementPlan": {
"displayText": "S3 Storage Lens dashboard helps to drill down for more details about the specific regions, buckets, or prefixes to further assist you",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-cloudwatch-metrics-dimensions.html"
}
},
{
"id": "OPS_1_6",
"title": "Using object level tags",
"helpfulResource": {
"displayText": "Object level tags can be used for fine-grained access-control via IAM conditions keys, to filter lifecycle rules, as part of custom metrics.\n\nNote, object level tags cannot be used for Cost Allocation Tags, and incur additional per-object recurring costs. When working with large numbers of objects, consider the costs associated with object tags before broad usage.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html"
},
"improvementPlan": {
"displayText": "Categorizing your storage using tags",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html"
}
},
{
"id": "OPS_1_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "OPS_1_1 && OPS_1_2 && OPS_1_3 && OPS_1_4 && OPS_1_5 && OPS_1_6",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "OPS_2",
"title": "How do you capture data regarding usage for future analysis?",
"description": "AWS CloudTrail Data Events for S3 and Amazon S3 Server Access Logs, provide a record of actions that are taken by users, roles, or AWS services on Amazon S3 resources and maintain log records for auditing and compliance purposes.",
"choices": [
{
"id": "OPS_2_1",
"title": "Enabled AWS CloudTrail Data Events for S3",
"helpfulResource": {
"displayText": "We recommend that you use CloudTrail Data Events for S3 as your primary log source for S3, due to the faster delivery, higher delivery assurance, and integration with analysis tools.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging.html"
},
"improvementPlan": {
"displayText": "Enabling CloudTrail event logging for S3 buckets and objects",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html"
}
},
{
"id": "OPS_2_2",
"title": "Configured monitoring for CloudTrail status",
"helpfulResource": {
"displayText": "To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.",
"url": "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html"
},
"improvementPlan": {
"displayText": "Enable AWS Config rule to automatically re-enable AWS CloudTrail using a custom remediation",
"url": "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html"
}
},
{
"id": "OPS_2_3",
"title": "Configured Trusted Advisor alarm for AWS CloudTrail Logging alerts",
"helpfulResource": {
"displayText": "To ensure changes to configuration do not disrupt the delivery of events to your CloudTrail, you should create an alarm for the Trusted Advisor Check AWS CloudTrail Logging to notify you in the case delivery is disrupted.",
"url": "https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#aws-cloudtrail-logging"
},
"improvementPlan": {
"displayText": "Create Amazon CloudWatch alarm to monitor AWS CloudTrail Logging configuration",
"url": "https://docs.aws.amazon.com/awssupport/latest/user/cloudwatch-metrics-ta.html#cloudwatch-metrics-dimensions-for-trusted-advisor"
}
},
{
"id": "OPS_2_4",
"title": "Enabled Amazon S3 Server Access Logs",
"helpfulResource": {
"displayText": "Amazon S3 Server Access Logs capture some events and data points not available in CloudTrail Data Events for S3.\n\nThese logs provide visibility into: \na. Individual keys deleted as part of a DeleteObjects request \nb. The size of a processed object \nc. Time to complete a request \nd. Lifecycle transitions or expirations",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html"
},
"improvementPlan": {
"displayText": "Logging requests using server access logging",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html"
}
},
{
"id": "OPS_2_5",
"title": "Configured Trusted Advisor alarm for Amazon S3 Bucket Logging alerts",
"helpfulResource": {
"displayText": "When logging is initially enabled, the configuration is automatically validated. However, future modifications can result in logging failures. This check examines explicit Amazon S3 bucket permissions, but it does not examine associated bucket policies that might override the bucket permissions.",
"url": "https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-s3-bucket-logging"
},
"improvementPlan": {
"displayText": "Create Amazon CloudWatch alarm to monitor Amazon S3 Server Access Log configuration",
"url": "https://docs.aws.amazon.com/awssupport/latest/user/cloudwatch-metrics-ta.html#cloudwatch-metrics-dimensions-for-trusted-advisor"
}
},
{
"id": "OPS_2_6",
"title": "Planned for/Enabled Client Metrics",
"helpfulResource": {
"displayText": "AWS SDKs often support SDK client metrics. SDK client metrics can be enabled for monitoring API requests from SDKs, and can capture aspects of a request that are visible only to the client, such as how many concurrent requests are occurring, additional network latency, and a higher degree of granularity.\n\nKeep in mind that since S3 API calls can be high volume, this type of metrics can create additional costs from CloudWatch and create client and network load.",
"url": "https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/metrics.html"
},
"improvementPlan": {
"displayText": "Using AWS SDK's to emit client metrics",
"url": "https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/metrics.html"
}
},
{
"id": "OPS_2_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "OPS_2_1 && OPS_2_2 && OPS_2_3 && OPS_2_4 && OPS_2_5 && OPS_2_6",
"risk": "NO_RISK"
},
{
"condition": "(OPS_2_1 && (OPS_2_2 || OPS_2_3)) || (OPS_2_4 && OPS_2_5)",
"risk": "MEDIUM_RISK"
},
{
"condition": "default",
"risk": "HIGH_RISK"
}
]
},
{
"id": "OPS_3",
"title": "How do you provide access to usage data for analysis?",
"description": "You should think in advance on what tools you will use to analyze usage data, so that when the need arises, you do not waste valuable time finding and configuring tools.",
"choices": [
{
"id": "OPS_3_1",
"title": "Configured a query mechanism for S3 CloudTrail Data events",
"helpfulResource": {
"displayText": "S3 Data Events do not appear in the CloudTrail Event History. If you want users to be able to access them, you will want to provide them with a mechanism to query the data stored in the S3 CloudTrail records.\n\nWhile there are many possible options to do this, one of the most readily available is AWS CloudTrail Lake, which allows you to execute SQL-based queries against your CloudTrail events, including the S3 data events.",
"url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html"
},
"improvementPlan": {
"displayText": "Using AWS CloudTrail Lake, a managed data lake that lets organizations aggregate, immutably store, and query events recorded by CloudTrail for auditing, security investigation, and operational troubleshooting",
"url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html"
}
},
{
"id": "OPS_3_2",
"title": "Configured a query mechanism for Amazon S3 Server Access Logs",
"helpfulResource": {
"displayText": "S3 Server Access Logs are output to your designated location as a series of individual files. To enable your users to work with this data you will want to provide them with a mechanism to query the data stored in them.\n\nYou can utilize Amazon Athena to create a table that allows access to S3 Server Access Logs. Athena is appropriate for infrequent usage, as there is no upfront costs to configure, and you only pay per query and the associated S3 usage. If you are have complex, regular or recurring analysis needs, Athena might still be an appropriate solution, but you should also take the time to evaluate other solutions, such as OpenSearch.",
"url": "https://repost.aws/knowledge-center/analyze-logs-athena"
},
"improvementPlan": {
"displayText": "Use Athena to quickly analyze and query server access logs.",
"url": "https://repost.aws/knowledge-center/analyze-logs-athena"
}
},
{
"id": "OPS_3_3",
"title": "Amazon S3 Storage Lens metrics enabled",
"helpfulResource": {
"displayText": "Amazon S3 provides and supports a collection of metrics in CloudWatch and/or S3 Storage Lens. Some of these are enabled by default, some are enabled with S3 Storage Lens, and some are enabled as Advanced Metrics for S3 Storage Lens.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_view_metrics_cloudwatch.html"
},
"improvementPlan": {
"displayText": "Use S3 Storage Lens Advanced Storage Metrics for advanced metric categories, prefix-level aggregation, contextual recommendations, and Amazon CloudWatch publishing",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_metrics_selection"
}
},
{
"id": "OPS_3_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "OPS_3_1 && OPS_3_2 && OPS_3_3",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "OPS_4",
"title": "How do you monitor your user's experience?",
"description": "When S3 is utilized to distribute content over the internet or regional networks, the performance of those networks can have impacts on the user experience or performance of consuming workloads. Monitoring these networks can provide insights that will avoid time consuming investigations, allow you to explain causes of user experience, or to pursue mitigations.",
"choices": [
{
"id": "OPS_4_1",
"title": "Monitor Internet traffic patterns to understand impacts on user experience or workload performance",
"helpfulResource": {
"displayText": "Amazon CloudWatch Internet Monitor provides visibility into how internet issues impact the performance and availability between your applications hosted on AWS and your end users. If your users access your bucket directly, or via Amazon CloudFront, internet issues can impact their experience. Being aware of these issues can help understand the experiences of those users, take actions to improve their experience, and better communicate with those users about their experience.\n\nIf your workload does not have Internet users:\n - Click 'Mark best practice(s) that do not apply to this workload'\n - Select 'Monitor Internet traffic patterns to understand impacts on user experience or workload performance'\n - Enter 'Out of Scope' for 'Reason not applicable'\n - Enter 'S3 resources are not directly utilized by users who reach S3 or CloudFront via the Internet' for 'Additional details'.",
"url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.html"
},
"improvementPlan": {
"displayText": "Using Amazon CloudWatch Internet Monitor for continuous observability of internet measurements, such as availability and performance, tailored to your workload footprint on AWS",
"url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.html"
},
"additionalResources": [
{
"type": "IMPROVEMENT_PLAN",
"content": [
{
"displayText": "Or if your workload does not have Internet users:\n - Click 'Mark best practice(s) that do not apply to this workload'\n - Select 'Monitor Internet traffic patterns to understand impacts on user experience or workload performance'\n - Enter 'Out of Scope' for 'Reason not applicable'\n - Enter 'S3 resources are not directly utilized by users who reach S3 or CloudFront via the Internet' for 'Additional details'.",
"url": "https://docs.aws.amazon.com/wellarchitected/latest/userguide/tutorial-step2.html"
}
]
}
]
},
{
"id": "OPS_4_2",
"title": "Monitor inter-region networking performance variations to understand impacts on user experience or workload performance",
"helpfulResource": {
"displayText": "AWS Network Manager Infrastructure Performance monitoring can provides visibility into real-time health and latency between AWS regions. When you have users or workloads that access S3 via cross-region calls, either through public endpoints or via Interface VPC endpoints, that traffic passes between AWS regions by the AWS global network.\n\nIf your workload does not utilize S3 across regions:\n - Click 'Mark best practice(s) that do not apply to this workload'\n - Select 'Monitor inter-region networking performance variations to understand impacts on user experience or workload performance'\n - Enter 'Out of Scope' for 'Reason not applicable'\n - Enter 'S3 resources are not accessed across regions by users or workload operations' for 'Additional details'.",
"url": "https://docs.aws.amazon.com/network-manager/latest/infrastructure-performance/what-is-nmip.html"
},
"improvementPlan": {
"displayText": "Infrastructure Performance allows you to obtain near real-time and historical network latency across AWS Regions and across or within Availability Zones for a specified time period.",
"url": "https://docs.aws.amazon.com/network-manager/latest/infrastructure-performance/what-is-nmip.html"
},
"additionalResources": [
{
"type": "IMPROVEMENT_PLAN",
"content": [
{
"displayText": "Or if your workload does not utilize S3 across regions:\n - Click 'Mark best practice(s) that do not apply to this workload'\n - Select 'Monitor inter-region networking performance variations to understand impacts on user experience or workload performance'\n - Enter 'Out of Scope' for 'Reason not applicable'\n - Enter 'S3 resources are not accessed across regions by users or workload operations' for 'Additional details'.",
"url": "https://docs.aws.amazon.com/wellarchitected/latest/userguide/tutorial-step2.html"
}
]
}
]
},
{
"id": "OPS_4_3",
"title": "Monitor CloudFront distribution metrics",
"helpfulResource": {
"displayText": "It is very common to use S3 as the origin of a CloudFront distribution. In these cases, monitoring CloudFront distribution metrics can provide insight into user experiences, whether misconfigurations have occurred, and other important details.\n\nIf your workload does not utilize CloudFront:\n - Click 'Mark best practice(s) that do not apply to this workload'\n - Select 'Monitor CloudFront distribution metrics'\n - Enter 'Out of Scope' for 'Reason not applicable'\n - Enter 'S3 resources are not accessed by CloudFront' for 'Additional details'.",
"url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/viewing-cloudfront-metrics.html#monitoring-console.distributions"
},
"improvementPlan": {
"displayText": "Using CloudFront distriubution metrics helps you troubleshoot, track, and debug issues",
"url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/viewing-cloudfront-metrics.html#monitoring-console.distributions"
},
"additionalResources": [
{
"type": "IMPROVEMENT_PLAN",
"content": [
{
"displayText": "Or if your workload does not utilize CloudFront:\n - Click 'Mark best practice(s) that do not apply to this workload'\n - Select 'Monitor CloudFront distribution metrics'\n - Enter 'Out of Scope' for 'Reason not applicable'\n - Enter 'S3 resources are not accessed by CloudFront' for 'Additional details'.",
"url": "https://docs.aws.amazon.com/wellarchitected/latest/userguide/tutorial-step2.html"
}
]
}
]
},
{
"id": "OPS_4_no",
"title": "No, S3 resources are not directly utilized by any workload or user outside the region of the S3 resource",
"helpfulResource": {
"displayText": "While some of the practices here might be relevant to your workload, if the only access to S3 is directly via your workload's services, these practices will not be relevant to performance of S3 requests."
}
}
],
"riskRules": [
{
"condition": "OPS_4_no || (OPS_4_1 && OPS_4_2 && OPS_4_3)",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "OPS_5",
"title": "How do you validate that the best practices you have chosen remain in place?",
"description": "Once best practices are chosen, audit practices can inform you of any change in that configuration, allowing you to remediate.",
"choices": [
{
"id": "OPS_5_1",
"title": "Using a rules engine",
"helpfulResource": {
"displayText": "Rules engines, such as AWS Config, can validate best practices are configured as intended.\n\nAWS Config provides a set of built-in rules that map to some of the best practices in this guide. Consider enabling AWS Config and these rules across your accounts to validate these best practices. If you have alternate controls or reasons to deviate from these best practices, disable that rule.\n\nRules to consider: Any starting with s3-",
"url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html"
},
"improvementPlan": {
"displayText": "Enable appropriate AWS Config rules for S3 (s3-*) to validate S3 best practices",
"url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html"
}
},
{
"id": "OPS_5_2",
"title": "Use Amazon S3 Inventory to audit and report on the replication and encryption status of your objects",
"helpfulResource": {
"displayText": "You can use Amazon S3 Inventory to help manage your storage. For example, you can use it to audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory.html"
},
"improvementPlan": {
"displayText": "Use Amazon S3 Inventory to audit and report on the replication and encryption status of your objects",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html"
}
},
{
"id": "OPS_5_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "OPS_5_1 && OPS_5_2",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
}
]
},
{
"id": "security",
"name": "Security",
"questions": [
{
"id": "SEC_01",
"title": "How do you manage Amazon S3 data you intend to share publicly?",
"description": "Amazon S3 bucket data is private by default. Sharing Amazon S3 data publicly should be done deliberately and with caution.",
"choices": [
{
"id": "SEC_01_1",
"title": "Segregate data that needs to be publicly shared into separate AWS accounts.",
"helpfulResource": {
"displayText": "Using separate accounts for publicly shared data allows you to enable Amazon S3 Block Public Access for other accounts and avoid accidental public sharing of data."
},
"improvementPlan": {
"displayText": "Use separate accounts for publicly shared data, allowing you to enable Amazon S3 Block Public Access for other accounts and avoid accidental public sharing of data.",
"url": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_multi_accounts.html"
}
},
{
"id": "SEC_01_2",
"title": "Utilizing a Content Delivery Network, with controls to limit direct bucket access.",
"helpfulResource": {
"displayText": "When data is shared publicly, you should consider that you could incur additional costs or availability impacts if a DDoS attack was directed at your bucket. Using a Content Delivery Network, can provide protections here. To ensure those protections are realized, you should limit direct bucket access, such that your CDN resources can access the bucket.\n\nAmazon CloudFront provides this type of protections, through integration with AWS WAF. AWS Shield provides access to other resources to responding to this type of event. Origin Access Control (OAC) limits direct access to your bucket to the CloudFront distribution you have created.",
"url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3"
},
"improvementPlan": {
"displayText": "Limit the direct access to Amazon S3 bucket by using Content Delivery Networks",
"url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3"
}
},
{
"id": "SEC_01_3",
"title": "Scan publicly shared bucket contents for sensitive data",
"helpfulResource": {
"displayText": "Buckets that is shared publicly should scan content for sensitive data, to mitigate any accidental or malicious addition of sensitive data.\n\nAmazon Macie automates discovery and reporting of sensitive data to provide you with a better understanding of the data that your organization stores in Amazon S3. To detect sensitive data, you can use built-in criteria and techniques that Macie provides, custom criteria that you define, or a combination of the two. If Macie detects sensitive data in an S3 object, Macie generates a finding to notify you of the sensitive data that Macie found.",
"url": "https://docs.aws.amazon.com/macie/latest/user/discovery-asdd.html"
},
"improvementPlan": {
"displayText": "Use Amazon Macie to discover and report sensitive data stored in your buckets",
"url": "https://docs.aws.amazon.com/macie/latest/user/discovery-asdd.html"
}
},
{
"id": "SEC_01_no",
"title": "No, this workload does not have data that needs to be shared publicly.",
"helpfulResource": {
"displayText": "You should enable Amazon S3 Block Public Access for your account to avoid accidental public sharing of data, and follow other best practices under \"How do you ensure data that should not be shared publicly is not shared publicly?\"",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html"
}
}
],
"riskRules": [
{
"condition": "SEC_01_no && SEC_01_1 && SEC_01_2 && SEC_01_3",
"risk": "NO_RISK"
},
{
"condition": "(!SEC_01_2)",
"risk": "HIGH_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "SEC_02",
"title": "How do you ensure that data that should not be made public is not made public?",
"description": "Unless you explicitly require anyone on the internet to be able to read or write to your Amazon S3 bucket, you should ensure that your Amazon S3 bucket is not public.",
"choices": [
{
"id": "SEC_02_1",
"title": "Use Amazon S3 block public access.",
"helpfulResource": {
"displayText": "With Amazon S3 block public access, account administrators and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created. For more information, see Blocking public access to your Amazon S3 storage.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html"
},
"improvementPlan": {
"displayText": "Use Amazon S3 block public access",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html"
}
},
{
"id": "SEC_02_2",
"title": "Identify Amazon S3 bucket policies that use wildcard identities or actions",
"helpfulResource": {
"displayText": "Wildcard identities such as Principal \"*\" (which effectively means \"anyone\") or allows a wildcard action \"*\" (which effectively allows the user to perform any action in the Amazon S3 bucket)."
},
"improvementPlan": {
"displayText": "Review bucket access using IAM Access Analyzer for S3",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html"
}
},
{
"id": "SEC_02_3",
"title": "Identify Amazon S3 bucket access control lists (ACLs) that provide public access",
"helpfulResource": {
"displayText": "Identify Amazon S3 bucket access control lists (ACLs) that provide read, write, or full-access to 'Everyone' or 'Any authenticated AWS user'",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/acls.html"
},
"improvementPlan": {
"displayText": "Use AWS Services to detect S3 buckets that your users have configured for public access across different AWS Regions in your AWS account and AWS Organizations",
"url": "https://aws.amazon.com/blogs/storage/find-public-s3-buckets-in-your-aws-account/"
},
"additionalResources":[
{
"type": "HELPFUL_RESOURCE",
"content": [
{
"displayText": "Disable ACLs for buckets without explicit use case.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#object-ownership-considerations"
}
]
}
]
},
{
"id": "SEC_02_4",
"title": "Use AWS Trusted Advisor to inspect your Amazon S3 implementation.",
"helpfulResource": {
"displayText": "AWS Trusted Advisor provides the Amazon S3 Bucket Permissions check. This check validates these recommendations are implemented.",
"url": "https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#amazon-s3-bucket-permissions"
},
"improvementPlan": {
"displayText": "Use AWS Trusted Advisor to inspect your Amazon S3 implementation",
"url": "https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#amazon-s3-bucket-permissions"
}
},
{
"id": "SEC_02_5",
"title": "Use detective controls to discover publicly exposed buckets and validate above controls",
"helpfulResource": {
"displayText": "Using a compliance validation engine, such as AWS Config, validate that the above settings stay unchanged.\n\nAWS Config provides the s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited managed AWS Config Rules, that validate block public access is set.\n\nAmazon Macie provides you with an inventory of your S3 buckets, and automatically evaluates and monitors the buckets for security and access control. If Macie detects a potential issue with the security or privacy of your data, such as a bucket that becomes publicly accessible, Macie generates a finding for you to review and remediate as necessary.",
"url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-read-prohibited.html"
},
"improvementPlan": {
"displayText": "Use AWS Config managed rules to validate the settings of your Amazon S3 buckets",
"url": "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"
},
"additionalResources": [
{
"type": "HELPFUL_RESOURCE",
"content": [
{
"displayText": "s3-bucket-public-write-prohibited managed AWS Config Rules",
"url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html"
}
]
}
]
},
{
"id": "SEC_02_6",
"title": "Configured Service Control Policies as guardrails around block public access settings",
"helpfulResource": {
"displayText": "Very few users should be granted access to change block public access settings. While best practice is to use least privilege IAM policies to limit this access, in order to guard against an error in an IAM policy, a Service Control Policy can be used to explicitly deny this permission to either all users or a very limited set.",
"url": "https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html#scp-s3-1"
},
"improvementPlan": {
"displayText": "Use SCP to prevent disabling S3 account public access block",
"url": "https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html#scp-s3-1"
}
},
{
"id": "SEC_02_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "SEC_02_1 && SEC_02_2 && SEC_02_3 && SEC_02_4 && SEC_02_5 && SEC_02_6",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "HIGH_RISK"
}
]
},
{
"id": "SEC_03",
"title": "How do you define encryption in-transit requirements and validate these requirements are met?",
"description": "All S3 API Endpoints, VPC Endpoints, and Access Points support TLS 1.2, and utilize it by default with all AWS SDKs and tooling. Custom clients and client configurations can opt-out of encryption, or choose older encryption protocols. Controls can restrict connections to specific encryption requirements, rejecting connections that are not compliant.",
"choices": [
{
"id": "SEC_03_1",
"title": "Requirements are provided by a compliance standard.",
"helpfulResource": {
"displayText": "If your organization or workload is subject to a particular compliance program, this will inform your encryption requirements.",
"url": "https://aws.amazon.com/compliance/programs/"
},
"improvementPlan": {
"displayText": "Understand and document, any compliance programs that apply to your workload"
}
},
{
"id": "SEC_03_2",
"title": "Requirements are based on company wide policy.",
"helpfulResource": {
"displayText": "An encryption policy establishes, at a senior management level, the business and compliance expectations that the organization needs to meet."
},
"improvementPlan": {
"displayText": "Understand and document, at a senior management level, the business and compliance expectations that the organization needs to meet"
}
},
{
"id": "SEC_03_3",
"title": "Use the latest SDKs and client software",
"helpfulResource": {
"displayText": "When client and server first establish a connection, they negotiate the transmission protocol to be used for the connection, optimizing to utilize the most preferred protocol supported by both client and server. S3 supports TLS versions 1.2, 1.1 and 1.0 (the last two will no longer be supported after June, 28, 2023). Using the latest clients that at support an appropriate version of TLS will ensure that clients connect to S3 with the latest version of TLS."
},
"improvementPlan": {
"displayText": "Use the latest SDKs and client software",
"url": "https://aws.amazon.com/developer/tools/"
}
},
{
"id": "SEC_03_4",
"title": "Implementing detective controls to enforce encryption in-transit ",
"helpfulResource": {
"displayText": "Using Service control policies to enforce SecureTransport",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html"
},
"improvementPlan": {
"displayText": "Implement ongoing detective controls by using AWS Config Managed rules",
"url": "https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html"
}
},
{
"id": "SEC_03_5",
"title": "Bucket policies include a SecureTransport restriction.",
"helpfulResource": {
"displayText": "By explicitly blocking access that does not use HTTPS, you can ensure that non-compliant clients receive an error message and are forced to apply updates to utilize a secure transport protocol",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-HTTP-HTTPS-1"
},
"improvementPlan": {
"displayText": "Enforcing encryption of data in transit in your Amazon S3 bucket policy",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-HTTP-HTTPS-1"
}
},
{
"id": "SEC_03_6",
"title": "Are aware of any proxies that could impact encryption in-transit requirements.",
"helpfulResource": {
"displayText": "Proxies can be used to terminate HTTPS connections, and then relay those connections, with the result that for connections to S3 using these mechanisms involves two connections.\n\nWhile this might be out of the scope of your requirements; for example if such a proxy is part of a customer's corporate network, if such servers are inside your organizations realm of control, they should be evaluated and treated as a distinct client & server in regards to in-transit requirements.\n\nNote: This type of proxy requires a high degree of trust from client software to be allowed."
},
"improvementPlan": {
"displayText": "Document any proxies used by S3 clients that are part of your workload and within your organizations realm of control"
}
},
{
"id": "SEC_03_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "(SEC_03_1 || SEC_03_2) && SEC_03_3 && SEC_03_4 && SEC_03_5 && SEC_03_6",
"risk": "NO_RISK"
},
{
"condition": "(!SEC_03_6) || (!SEC_03_3)",
"risk": "HIGH_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "SEC_04",
"title": "How do you define encryption at-rest requirements and validate these requirements are met?",
"description": "You should consider what your encryption at-rest requirements are and enforce these requirements. S3 offers transparent data encryption, and since January 5th, 2023,S3 applies encryption by default to all new objects. If you have more stringent compliance requirements, use the practices below to identify and enforce them.",
"choices": [
{
"id": "SEC_04_1",
"title": "Requirements are provided by a compliance standard.",
"helpfulResource": {
"displayText": "If your organization or workload is subject to a particular compliance program, this will inform your encryption requirements.",
"url": "https://aws.amazon.com/compliance/programs/"
},
"improvementPlan": {
"displayText": "Understand and document, any compliance programs that apply to your workload",
"url": "https://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-data-at-rest-encryption/policy.html"
}
},
{
"id": "SEC_04_2",
"title": "Requirements are based on company wide policy.",
"helpfulResource": {
"displayText": "An encryption policy establishes, at a senior management level, the business and compliance expectations that the organization needs to meet.",
"url": "https://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-data-at-rest-encryption/policy.html"
},
"improvementPlan": {
"displayText": "Understand and document, at a senior management level, the business and compliance expectations that the organization needs to meet",
"url": "https://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-data-at-rest-encryption/policy.html"
}
},
{
"id": "SEC_04_3",
"title": "Including a KMS key restriction in bucket policies",
"helpfulResource": {
"displayText": "If your requirements state that you should use a specific KMS key or type of KMS key, you can utilize a statement in bucket policies to require a specific KMS key be used when writing new objects to your bucket. You can also declare statements that require some variation of this, such as a KMS from a specific account, or a subset of KMS keys, or simply any KMS key.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-encryption"
},
"improvementPlan": {
"displayText": "Require every object that is written to the bucket to be encrypted using KMS Keys",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-encryption"
}
},
{
"id": "SEC_04_4",
"title": "Including a customer provided key restriction in bucket policies",
"helpfulResource": {
"displayText": "If your requirements state that you should use a customer provided key, you can utilize a statement in bucket policies to require a customer provided key be used when writing new objects to your bucket",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#ssec-require-condition-key"
},
"improvementPlan": {
"displayText": "Require every object that is written to the bucket to be encrypted using customer provided Keys",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#ssec-require-condition-key"
}
},
{
"id": "SEC_04_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "(SEC_04_1 || SEC_04_2) && (SEC_04_3 || SEC_04_4)",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "SEC_05",
"title": "How do you implement least privilege access to your data?",
"description": "When granting permissions, you decide who is getting what permissions to which Amazon S3 resources. You enable specific actions that you want to allow on those resources. Therefore you should grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.",
"choices": [
{
"id": "SEC_05_1",
"title": "Using IAM users or roles from federated or other single-sign for users who require Amazon S3 access",
"helpfulResource": {
"displayText": "Providing access to externally authenticated users (identity federation)",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html"
},
"improvementPlan": {
"displayText": "Use IAM users or roles from federated or other single-sign for users who require Amazon S3 access",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html"
}
},
{
"id": "SEC_05_2",
"title": "Using IAM roles for applications and AWS services that require Amazon S3 access",
"helpfulResource": {
"displayText": "Using an IAM role to grant permissions to applications running on Amazon EC2 instances",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html"
},
"improvementPlan": {
"displayText": "Use an IAM role to grant permissions to applications running on Amazon EC2 instances",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html"
}
},
{
"id": "SEC_05_3",
"title": "Including guardrails in Service Control Policies",
"helpfulResource": {
"displayText": "Deny statements in Service Control Policies can be used to prohibit access patterns that are generally unnecessary. While it would be inadvisable to try and document all access in this way (generally policies attached to IAM users/roles should limit users to least privilege access), Service Control Policies can provide a second line of defense that is easier to reason about for the most important guardrails.",
"url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html"
},
"improvementPlan": {
"displayText": "Evaluate where Deny statements in S3 bucket policies can implement control objectives",
"url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html"
}
},
{
"id": "SEC_05_4",
"title": "Including guardrails in S3 bucket policies",
"helpfulResource": {
"displayText": "Bucket policies are most commonly used for two purposes, for granting access cross-account(s), and for providing additional guardrails that fill areas too specific for Service Control Policies, or not supported by Service Control Policies.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html"
},
"improvementPlan": {
"displayText": "Evaluate where Deny statements in S3 bucket policies can implement control objectives",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html"
}
},
{
"id": "SEC_05_5",
"title": "Disable access control lists (ACLs)",
"helpfulResource": {
"displayText": "A majority of modern use cases in Amazon S3 no longer require the use of access control lists (ACLs), and we recommend that you disable ACLs except in unusual circumstances where you must control access for each object individually.\n\nDisabling ACLs simplifies permissions management and auditing. You can disable ACLs on both newly created and already existing buckets. In the case of an existing bucket that already has objects in it, after you disable ACLs, the object and bucket ACLs are no longer part of an access evaluation, and access is granted or denied on the basis of policies.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#disable-acls"
},
"additionalResources":[
{
"type": "HELPFUL_RESOURCE",
"content": [
{
"displayText": "-",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.htmll"
}
]
}
],
"improvementPlan": {
"displayText": "Disable access control lists (ACLs)",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#disable-acls"
}
},
{
"id": "SEC_05_6",
"title": "Using S3 Access Points to create custom scopes for groups of users or applications",
"helpfulResource": {
"displayText": "When you have different sets of users with different functional purposes to data, managing their access needs via a single bucket policy can require complex bucket policies. S3 Access Points are intended as a way to provide each use case a different endpoint to access the same bucket, simplifying the access policy by focusing it on a particular use case. This is both a solution to policy size limits, and a solution to making those policies easier to validate and manage.",
"url": "https://aws.amazon.com/s3/features/access-points/"
},
"improvementPlan": {
"displayText": "Use S3 Access Points to create custom scopes for groups of users or applications",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-access-points.html"
}
},
{
"id": "SEC_05_7",
"title": "Regularly review access granted for least privilege",
"helpfulResource": {
"displayText": "As users and use cases change, privileges users or applications had in the past might no longer be used. Performing regular reviews using data from IAM Access Advisor, application changelogs, Access Analyzer for S3, and new IAM and S3 features can highlight cases where unused privileges can be removed, or permission scopes can be made more specific, limiting the potential that these unneeded permissions will be misused in the future.",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html"
},
"improvementPlan": {
"displayText": "Use IAM Access Analyzer to regularly review access granted for least privilege",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html"
}
},
{
"id": "SEC_05_8",
"title": "Permission Boundaries for IAM Entities",
"helpfulResource": {
"displayText": "Permission Boundaries are an additional guardrail that can be used to ensure that when new roles are created to grant access to users or application components, those permissions are restricted according to the permission boundaries. This allows developers to define roles, granting permissions for application components, and for IAM administrators to define a limit on the scope for those roles.",
"url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html"
},
"improvementPlan": {
"displayText": "Use IAM permission boundaries to define the maximum permissions that can be given to roles created by developers or teams you grant role creation permissions",
"url": "https://aws.amazon.com/blogs/security/when-and-where-to-use-iam-permissions-boundaries/"
}
},
{
"id": "SEC_05_9",
"title": "Using Amazon S3 Access Grants to grant granualr data access permissions at scale based on a user's identity",
"helpfulResource": {
"displayText": "Amazon S3 Access Grants provides a scalable access control solution for S3 data. With S3 Access Grants, you can map identities like users, groups, or roles directly to data in S3 buckets and objects.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-get-started.html"
},
"improvementPlan": {
"displayText": "Use Amazon S3 Access Grants if Large numbers of datasets in Amazon S3 and/or grantees that IAM or S3 bucket policy character limits become a concern, a need to simplify access by assigning grants directly to directory groups, eliminating the need for intermediate IAM roles for users, and access to Amazon S3 is crucial for users belonging to multiple groups, as they require access to a union of datasets.",
"url": "https://aws.amazon.com/blogs/storage/scaling-data-access-with-amazon-s3-access-grants/"
}
},
{
"id": "SEC_05_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "SEC_05_1 && SEC_05_2 && SEC_05_3 && SEC_05_4 && SEC_05_5 && SEC_05_6 && SEC_05_7 && SEC_05_8 && SEC_05_9",
"risk": "NO_RISK"
},
{
"condition": "(!SEC_05_1) || (!SEC_05_2) || (!SEC_05_3) || (!SEC_05_4) || (!SEC_05_5) || (!SEC_05_7)",
"risk": "HIGH_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "SEC_06",
"title": "How do you define your needs for a data perimeter?",
"description": "A data perimeter is a set of preventive guardrails that help ensure that only your trusted identities are accessing trusted resources from expected networks. Data perimeters on AWS span many different features and capabilities. Based on your security requirements, you should decide which capabilities are appropriate for your organization.",
"choices": [
{
"id": "SEC_06_1",
"title": "Identify resources and environments where a data perimeter should not apply.",
"helpfulResource": {
"displayText": "Data perimeters are appropriate for most users, resources and environments, but they do add some level of friction and require some level of maintenance. It is best to be explicit about exceptions, and plan these in advance. Exceptions are expected as organizations do experiment, share data with other organizations, and have needs to access public data sources. Managing these exceptions in a scalable fashion will allow your data perimeter to achieve its purpose of increasing security, without imposing unnecessary costs on the organization."
},
"improvementPlan": {
"displayText": "Document exceptions to data perimeter usage, and include exceptions in service control policies, bucket policies and VPC endpoint policies",
"url": "https://docs.aws.amazon.com/whitepapers/latest/building-a-data-perimeter-on-aws/perimeter-implementation.html#additional-considerations"
}
},
{
"id": "SEC_06_2",
"title": "Apply identity controls to your resources",
"helpfulResource": {
"displayText": "Bucket policies can be used to apply a coarse-grained identity controls to resources that should be subject to your data perimeter. As demonstrated in the Data Perimeter Workshop, aws:PrincipalAccount or aws:PrincipalOrgId conditions can be utilized to restrict identities."
},
"improvementPlan": {
"displayText": "Use bucket policies to apply identity controls to your resources",
"url": "https://catalog.us-east-1.prod.workshops.aws/workshops/a11f0f32-cc23-4c95-b243-43c53bdc7177/en-US/core-labs/identity-perimeter-resources"
}
},
{
"id": "SEC_06_3",
"title": "Apply network controls to your resources",
"helpfulResource": {
"displayText": "Bucket policies can be used to apply a coarse-grained network controls to resources that should be subject to your data perimeter. VPCs can be targeted by VPC Endpoints, and on-premise networks via Source Ip restrictions."
},
"improvementPlan": {
"displayText": "Use bucket policies to apply network controls to your resources",
"url": "https://catalog.us-east-1.prod.workshops.aws/workshops/a11f0f32-cc23-4c95-b243-43c53bdc7177/en-US/core-labs/network-perimeter-resources"
}
},
{
"id": "SEC_06_4",
"title": "Apply identity controls to your networks",
"helpfulResource": {
"displayText": "VPC endpoint policies can be used to apply a coarse-grained identity controls to networks that should be subject to your data perimeter. By restricting a VPC Endpoint to only support identities you control or trust, it prevents identies you have not provisioned from being used through the VPC endpoint."
},
"improvementPlan": {
"displayText": "Use VPC endpoint policies to apply identity controls to your network",
"url": "https://catalog.us-east-1.prod.workshops.aws/workshops/a11f0f32-cc23-4c95-b243-43c53bdc7177/en-US/core-labs/identity-perimeter-network"
}
},
{
"id": "SEC_06_5",
"title": "Apply resource controls to your networks",
"helpfulResource": {
"displayText": "VPC endpoint policies can be used to apply a coarse-grained resource controls to your identities that should be subject to your data perimeter.",
"url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html"
},
"improvementPlan": {
"displayText": "Use VPC endpoint policies to apply resource controls to your networks",
"url": "https://catalog.us-east-1.prod.workshops.aws/workshops/a11f0f32-cc23-4c95-b243-43c53bdc7177/en-US/core-labs/resource-perimeter-network"
}
},
{
"id": "SEC_06_6",
"title": "Apply resource controls to your identities",
"helpfulResource": {
"displayText": "Service control policies (SCP) can be used to apply a coarse-grained resource controls to your identities that should be subject to your data perimeter.",
"url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html"
},
"improvementPlan": {
"displayText": "Use service control policies to apply resource controls to your identities",
"url": "https://catalog.us-east-1.prod.workshops.aws/workshops/a11f0f32-cc23-4c95-b243-43c53bdc7177/en-US/core-labs/resource-perimeter-principals"
}
},
{
"id": "SEC_06_7",
"title": "Apply network controls to your identities",
"helpfulResource": {
"displayText": "Service control policies (SCP) can be used to apply a coarse-grained network controls to your identities that should be subject to your data perimeter.",
"url": "https://docs.aws.amazon.com/whitepapers/latest/building-a-data-perimeter-on-aws/perimeter-implementation.html#only-expected-networks"
},
"improvementPlan": {
"displayText": "Use service control policies to apply network controls to your identities",
"url": "https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/network_perimeter_policy.json"
}
},
{
"id": "SEC_06_8",
"title": "Use S3 access points to move fine-grained access controls out of bucket policies",
"helpfulResource": {
"displayText": "S3 Access Points allow you to provide access point policies that work in conjunction with the bucket policy that is attached to the underlying bucket. Using S3 Access Points can help avoid reaching bucket policy limits that you might encounter when trying to maintain complex data perimeters. This also has the advantage of allowing the bucket policy to manage the highest level guardrails, and the access points to scope this access down to individual use cases.",
"url": "https://aws.amazon.com/blogs/aws/easily-manage-shared-data-sets-with-amazon-s3-access-points/"
},
"improvementPlan": {
"displayText": "Managing data sharing access with Amazon S3 Access Points",
"url": "https://aws.amazon.com/blogs/aws/easily-manage-shared-data-sets-with-amazon-s3-access-points/"
}
},
{
"id": "SEC_06_no",
"title": "None of these"
}
],
"riskRules": [
{
"condition": "SEC_06_1 && SEC_06_2 && SEC_06_3 && SEC_06_4 && SEC_06_5 && SEC_06_6 && SEC_06_7 && SEC_06_8",
"risk": "NO_RISK"
},
{
"condition": "(!SEC_06_1) || (!SEC_06_2) || (!SEC_06_4)",
"risk": "HIGH_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]