prowler-logo
Report Information
  • Version: 5.12.3
  • Parameters used: aws --services s3 -M html -F 정재호_S3리소스진단
  • Date: 2025-10-01T22:13:13.940203
AWS Assessment Summary
  • AWS Account: 888990920163
  • AWS-CLI Profile: default
  • Audited Regions: All Regions
AWS Credentials
  • User Id: 888990920163
  • Caller Identity ARN: arn:aws:iam::888990920163:root
Assessment Overview
  • Total Findings: 19
  • Passed: 8
  • Passed (Muted): 0
  • Failed: 11
  • Failed (Muted): 0
  • Total Resources: 2
Status Severity Service Name Region Check ID Check Title Resource ID Resource Tags Status Extended Risk Recommendation Compliance
FAIL high s3 ap-northeast-2 s3_account_level_public_access_blocks Check S3 Account Level Public Access Block. arn:aws:s3:ap-northeast-2:888990920163:account Block Public Access is not configured for the account 888990920163.

Public access policies may be applied to sensitive data buckets.

You can enable Public Access Block at the account level to prevent the exposure of your data stored in S3.

•AWS-Account-Security-Onboarding: S3 Block Public Access •AWS-Audit-Manager-Control-Tower-Guardrails: 4.1.1 •AWS-Foundational-Security-Best-Practices: S3.1 •AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP07 •CISA: your-systems-3, your-data-2 •CIS-1.4: 2.1.5 •CIS-1.5: 2.1.5 •CIS-2.0: 2.1.4 •CIS-3.0: 2.1.4 •CIS-4.0.1: 2.1.4 •CIS-5.0: 2.1.4 •FedRAMP-Low-Revision-4: ac-3, ac-17, cm-2, sc-7 •FedRamp-Moderate-Revision-4: ac-3, ac-6, ac-17-1, ac-21-b, cm-2, sc-4, sc-7-3, sc-7 •FFIEC: d3-pc-im-b-1 •GxP-21-CFR-Part-11: 11.10-d, 11.10-g •HIPAA: 164_308_a_1_ii_b, 164_308_a_3_i •ISO27001-2022: A.8.1 •KISA-ISMS-P-2023: 2.6.1, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.2, 2.10.2 •MITRE-ATTACK: T1530 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_1_3, 3_1_14, 3_1_20, 3_3_8, 3_4_6, 3_13_2, 3_13_5 •NIST-800-53-Revision-4: sc_7_3, sc_7 •NIST-800-53-Revision-5: ac_2_6, ac_3, ac_3_7, ac_4_21, ac_6, ac_17_b, ac_17_1, ac_17_4_a, ac_17_9, ac_17_10, cm_6_a, cm_9_b, mp_2, sc_7_2, sc_7_3, sc_7_7, sc_7_9_a, sc_7_11, sc_7_12, sc_7_16, sc_7_20, sc_7_21, sc_7_24_b, sc_7_25, sc_7_26, sc_7_27, sc_7_28, sc_7_a, sc_7_b, sc_7_c, sc_25 •NIST-CSF-1.1: ac_3, ac_5, ds_5, ip_8, pt_3 •PCI-3.2.1: 1.3, 2.2, 2.2.2, 7.2, 7.2.1 •PCI-4.0: 1.2.8.31, 1.2.8.32, 1.3.1.35, 1.3.1.36, 1.3.2.35, 1.3.2.36, 1.4.2.33, 1.4.2.34, 1.5.1.31, 1.5.1.32, 10.3.2.19, 10.3.2.20, 3.5.1.3.24, 3.5.1.3.25, A1.1.2.15, A1.1.2.16, A1.1.3.31, A1.1.3.32, A3.4.1.17, A3.4.1.18 •RBI-Cyber-Security-Framework: annex_i_1_3

PASS medium s3 ap-northeast-2 s3_bucket_acl_prohibited Check if S3 buckets have ACLs enabled arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho has bucket ACLs disabled.

S3 ACLs are a legacy access control mechanism that predates IAM. IAM and bucket policies are currently the preferred methods.

Ensure that S3 ACLs are disabled (BucketOwnerEnforced). Use IAM policies and bucket policies to manage access.

•AWS-Foundational-Security-Best-Practices: S3.12 •AWS-Foundational-Technical-Review: S3-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP02 •CISA: your-data-2 •KISA-ISMS-P-2023: 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.2, 2.10.2 •PCI-4.0: 7.2.1.24, 7.2.2.24, 7.2.5.18, 7.3.1.18, 7.3.2.18, 7.3.3.18, 8.2.7.18, 8.2.8.20, 8.3.4.18

PASS high s3 ap-northeast-2 s3_bucket_cross_account_access Ensure that general-purpose bucket policies restrict access to other AWS accounts. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho does not have a bucket policy.

Allowing other AWS accounts to perform sensitive actions (e.g., modifying bucket policies, ACLs, or encryption settings) on your S3 buckets can lead to data exposure, unauthorized access, or misconfigurations, increasing the risk of insider threats or attacks.

Review and update your S3 bucket policies to remove permissions that grant external AWS accounts access to critical actions and implement least privilege principles to ensure sensitive operations are restricted to trusted accounts only

•AWS-Foundational-Security-Best-Practices: S3.6, S3.7 •KISA-ISMS-P-2023: 2.5.6, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.6, 2.6.2, 2.10.2 •PCI-4.0: 10.6.3.33, 10.6.3.35, 7.2.1.25, 7.2.1.26, 7.2.1.27, 7.2.2.25, 7.2.2.26, 7.2.2.27, 7.2.5.19, 7.2.5.20, 7.2.5.21, 7.2.6.4, 7.2.6.5, 7.3.1.19, 7.3.1.20, 7.3.1.21, 7.3.2.19, 7.3.2.20, 7.3.2.21, 7.3.3.19, 7.3.3.20, 7.3.3.21, 8.2.7.19, 8.2.7.20, 8.2.7.21, 8.2.8.21, 8.2.8.22, 8.2.8.23, 8.3.4.19, 8.3.4.20, 8.3.4.21

FAIL low s3 ap-northeast-2 s3_bucket_cross_region_replication Check if S3 buckets use cross region replication. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho does not have correct cross region replication configuration.

Without cross-region replication in S3 buckets, data is at risk of being lost or inaccessible if an entire region goes down, leading to potential service disruptions and data unavailability.

Ensure that S3 buckets have cross region replication.

•ISO27001-2022: A.8.14 •KISA-ISMS-P-2023: 2.9.2 •KISA-ISMS-P-2023-korean: 2.9.2 •PCI-3.2.1: 2.2, 3.1, 3.1.c, 10.5, 10.5.3

PASS medium s3 ap-northeast-2 s3_bucket_default_encryption Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho has Server Side Encryption with AES256.

Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. This will ensure data-at-rest is encrypted.

Ensure that S3 buckets have encryption at rest enabled.

•AWS-Foundational-Technical-Review: S3-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC08-BP03 •CISA: your-systems-3, your-data-1, your-data-2 •CIS-1.4: 2.1.1 •CIS-1.5: 2.1.1 •ENS-RD2022: mp.si.2.aws.s3.1 •FedRAMP-Low-Revision-4: sc-13 •FedRamp-Moderate-Revision-4: sc-13, sc-28 •FFIEC: d3-pc-am-b-12 •GDPR: article_32 •GxP-21-CFR-Part-11: 11.10-c, 11.30 •GxP-EU-Annex-11: 7.1-data-storage-damage-protection •HIPAA: 164_308_a_1_ii_b, 164_308_a_4_ii_a, 164_312_a_2_iv, 164_312_c_1, 164_312_c_2, 164_312_e_2_ii •ISO27001-2022: A.8.11, A.8.24 •KISA-ISMS-P-2023: 2.7.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.7.1, 2.10.2 •MITRE-ATTACK: T1119, T1530 •NIST-800-171-Revision-2: 3_3_8, 3_5_10, 3_13_11, 3_13_16 •NIST-800-53-Revision-4: sc_28 •NIST-800-53-Revision-5: au_9_3, cm_6_a, cm_9_b, cp_9_d, cp_9_8, pm_11_b, sc_8_3, sc_8_4, sc_13_a, sc_16_1, sc_28_1, si_19_4 •NIST-CSF-1.1: ds_1 •PCI-3.2.1: 3.4, 3.4.1, 3.4.1.a, 3.4.1.c, 3.4.a, 3.4.b, 3.4.d, 8.2, 8.2.1, 8.2.1.a •PCI-4.0: 3.5.1.30, 8.3.2.48 •RBI-Cyber-Security-Framework: annex_i_1_3

FAIL medium s3 ap-northeast-2 s3_bucket_event_notifications_enabled Check if S3 buckets have event notifications enabled. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho does not have event notifications enabled.

Without event notifications, important actions on S3 buckets may go unnoticed, leading to missed opportunities for timely response to critical changes, such as object creation, deletion, or updates that could impact data security and availability.

Enable event notifications for all S3 general-purpose buckets to monitor important events such as object creation, deletion, tagging, and lifecycle events, ensuring visibility and quick action on relevant changes.

•KISA-ISMS-P-2023: 2.10.2, 2.11.3 •KISA-ISMS-P-2023-korean: 2.10.2, 2.11.3 •PCI-4.0: 11.5.2.5, 11.6.1.5, 12.10.5.5, A3.3.1.8, A3.5.1.8

FAIL medium s3 ap-northeast-2 s3_bucket_kms_encryption Check if S3 buckets have KMS encryption enabled. arn:aws:s3:::testbucketjaeho Server Side Encryption is not configured with kms for S3 Bucket testbucketjaeho.

Amazon S3 KMS encryption provides a way to set the encryption behavior for an S3 bucket using a managed key. This will ensure data-at-rest is encrypted.

Ensure that S3 buckets have encryption at rest enabled using KMS.

•AWS-Foundational-Security-Best-Practices: S3.17 •AWS-Foundational-Technical-Review: S3-001 •ISO27001-2022: A.8.11, A.8.24 •KISA-ISMS-P-2023: 2.7.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.7.2, 2.10.2 •PCI-3.2.1: 3.4, 3.4.1, 3.4.1.a, 3.4.1.c, 3.4.a, 3.4.b, 3.4.d, 8.2, 8.2.1, 8.2.1.a •PCI-4.0: 3.5.1.31, 8.3.2.50

FAIL medium s3 ap-northeast-2 s3_bucket_level_public_access_block Check S3 Bucket Level Public Access Block. arn:aws:s3:::testbucketjaeho Block Public Access is not configured for the S3 Bucket testbucketjaeho.

Public access policies may be applied to sensitive data buckets.

You can enable Public Access Block at the bucket level to prevent the exposure of your data stored in S3.

•AWS-Account-Security-Onboarding: S3 Block Public Access •AWS-Foundational-Security-Best-Practices: S3.8 •AWS-Foundational-Technical-Review: S3-001 •CIS-1.4: 2.1.5 •CIS-1.5: 2.1.5 •CIS-2.0: 2.1.4 •CIS-3.0: 2.1.4 •CIS-4.0.1: 2.1.4 •CIS-5.0: 2.1.4 •KISA-ISMS-P-2023: 2.6.1, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.2, 2.10.2 •MITRE-ATTACK: T1530

FAIL low s3 ap-northeast-2 s3_bucket_lifecycle_enabled Check if S3 buckets have a Lifecycle configuration enabled arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho does not have a lifecycle configuration enabled.

The risks of not having lifecycle management enabled for S3 buckets include higher storage costs, unmanaged data retention, and potential non-compliance with data policies.

Enable lifecycle policies on your S3 buckets to automatically manage the transition and expiration of data.

•AWS-Foundational-Security-Best-Practices: S3.13 •ISO27001-2022: A.8.10 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •NIS2: 12.2.2.a •PCI-3.2.1: 3.1, 3.1.a, 3.2, 3.2.c, 10.7, 10.7.a •PCI-4.0: 10.5.1.12, 10.5.1.13, 3.2.1.8, 3.2.1.9, 3.3.1.1.8, 3.3.1.1.9, 3.3.1.3.8, 3.3.1.3.9, 3.3.2.8, 3.3.2.9, 3.3.3.8, 3.3.3.9

FAIL medium s3 ap-northeast-2 s3_bucket_no_mfa_delete Check if S3 bucket MFA Delete is not enabled. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho has MFA Delete disabled.

Your security credentials are compromised or unauthorized access is granted.

Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.

•AWS-Foundational-Security-Best-Practices: S3.20 •AWS-Well-Architected-Framework-Security-Pillar: SEC05-BP02 •CIS-1.4: 2.1.3 •CIS-1.5: 2.1.3 •CIS-2.0: 2.1.2 •CIS-3.0: 2.1.2 •CIS-4.0.1: 2.1.2 •CIS-5.0: 2.1.2 •KISA-ISMS-P-2023: 2.5.3, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.3, 2.10.2 •MITRE-ATTACK: T1485 •NIS2: 11.7.2 •PCI-4.0: 10.3.2.22, 3.5.1.3.27, 8.4.1.5, 8.4.2.5, 8.4.3.5, A1.1.2.18, A3.4.1.20 •ProwlerThreatScore-1.0: 2.2.1

FAIL low s3 ap-northeast-2 s3_bucket_object_lock Check if S3 buckets have object lock enabled arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho has Object Lock disabled.

Store objects using a write-once-read-many (WORM) model to help you prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. That helps to prevent ransomware attacks.

Ensure that your Amazon S3 buckets have Object Lock feature enabled in order to prevent the objects they store from being deleted.

•AWS-Foundational-Security-Best-Practices: S3.15 •AWS-Foundational-Technical-Review: S3-001 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •MITRE-ATTACK: T1485, T1486 •PCI-4.0: 10.3.4.7

FAIL medium s3 ap-northeast-2 s3_bucket_object_versioning Check if S3 buckets have object versioning enabled arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho has versioning disabled.

With versioning, you can easily recover from both unintended user actions and application failures.

Configure versioning using the Amazon console or API for buckets with sensitive information that is changing frequently, and backup may not be enough to capture all the changes.

•AWS-Audit-Manager-Control-Tower-Guardrails: 5.1.1 •AWS-Foundational-Security-Best-Practices: S3.14 •AWS-Well-Architected-Framework-Security-Pillar: SEC08-BP04 •CISA: your-systems-3, your-data-4, booting-up-thing-to-do-first-1 •FedRAMP-Low-Revision-4: au-9, cp-9, cp-10, sc-5 •FedRamp-Moderate-Revision-4: au-9-2, cp-9-b, cp-10, sc-5, si-12 •FFIEC: d5-ir-pl-b-6 •GxP-21-CFR-Part-11: 11.10-a, 11.10-c •GxP-EU-Annex-11: 5-data, 7.1-data-storage-damage-protection, 7.2-data-storage-backups, 16-business-continuity, 17-archiving, 4.8-validation-data-transfer •HIPAA: 164_308_a_1_ii_b, 164_308_a_7_i, 164_308_a_7_ii_a, 164_308_a_7_ii_b, 164_308_a_7_ii_c, 164_312_a_2_ii, 164_312_c_1, 164_312_c_2 •ISO27001-2022: A.8.3, A.8.10 •KISA-ISMS-P-2023: 2.9.3, 2.12.1 •KISA-ISMS-P-2023-korean: 2.9.3, 2.12.1 •MITRE-ATTACK: T1485, T1486 •NIST-800-171-Revision-2: 3_3_8 •NIST-800-53-Revision-4: cp_10, si_12 •NIST-800-53-Revision-5: au_9_2, cp_1_2, cp_2_5, cp_6_a, cp_6_1, cp_6_2, cp_9_a, cp_9_b, cp_9_c, cp_10, cp_10_2, pm_11_b, pm_17_b, sc_5_2, sc_16_1, si_1_a_2, si_13_5 •NIST-CSF-1.1: be_5, ds_4, ip_4, ip_9, pt_5, rp_1, rp_1 •PCI-3.2.1: 3.1, 3.1.c, 10.5, 10.5.2, 10.5.3, 10.5.5 •PCI-4.0: 10.3.4.9 •RBI-Cyber-Security-Framework: annex_i_12 •SOC2: cc_7_4, cc_a_1_1, cc_c_1_2

PASS critical s3 ap-northeast-2 s3_bucket_policy_public_write_access Check if S3 buckets have policies which allow WRITE access. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho does not have a bucket policy.

Non intended users can put objects in a given bucket.

Ensure proper bucket policy is in place with the least privilege principle applied.

•AWS-Audit-Manager-Control-Tower-Guardrails: 4.1.2 •AWS-Foundational-Security-Best-Practices: S3.3 •AWS-Foundational-Technical-Review: S3-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP07 •CISA: your-systems-3, your-data-2 •ENS-RD2022: op.acc.4.aws.iam.1, op.exp.8.r4.aws.ct.2 •FedRAMP-Low-Revision-4: ac-3, ac-17, cm-2, sc-7 •FedRamp-Moderate-Revision-4: ac-3, ac-4, ac-6, ac-17-1, ac-21-b, cm-2, sc-4, sc-7-3, sc-7 •FFIEC: d3-pc-im-b-1 •GxP-21-CFR-Part-11: 11.10-c, 11.10-d, 11.10-g, 11.10-k •HIPAA: 164_308_a_1_ii_b, 164_308_a_3_i, 164_312_a_1 •ISO27001-2022: A.8.1 •KISA-ISMS-P-2023: 2.5.6, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.6, 2.6.2, 2.10.2 •MITRE-ATTACK: T1485, T1486 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_1_3, 3_3_8, 3_4_6, 3_13_2, 3_13_5 •NIST-800-53-Revision-4: ac_3, ac_4, ac_6, ac_21, sc_7_3, sc_7 •NIST-800-53-Revision-5: ac_2_6, ac_3, ac_3_7, ac_4_21, ac_6, ac_17_b, ac_17_1, ac_17_4_a, ac_17_9, ac_17_10, cm_6_a, cm_9_b, mp_2, sc_7_2, sc_7_3, sc_7_7, sc_7_9_a, sc_7_11, sc_7_12, sc_7_16, sc_7_20, sc_7_21, sc_7_24_b, sc_7_25, sc_7_26, sc_7_27, sc_7_28, sc_7_a, sc_7_b, sc_7_c, sc_25 •NIST-CSF-1.1: ac_3, ac_5, ds_5, ip_8, pt_3 •PCI-3.2.1: 1.2, 1.2.1, 1.2.1.a, 1.2.1.b, 1.2.1.c, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 7.2, 7.2.1 •ProwlerThreatScore-1.0: 2.2.15 •RBI-Cyber-Security-Framework: annex_i_1_3

PASS critical s3 ap-northeast-2 s3_bucket_public_access Ensure there are no S3 buckets open to Everyone or Any AWS user. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho is not public.

Even if you enable all possible bucket ACL options available in the Amazon S3 console the ACL alone does not allow everyone to download objects from your bucket. Depending on which option you select any user could perform some actions.

You can enable block public access settings only for access points, buckets and AWS accounts. Amazon S3 does not support block public access settings on a per-object basis. When you apply block public access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

•AWS-Account-Security-Onboarding: S3 Block Public Access •AWS-Audit-Manager-Control-Tower-Guardrails: 4.1.1 •AWS-Foundational-Technical-Review: S3-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP07 •CISA: your-systems-3, your-data-2 •ENS-RD2022: op.exp.8.r4.aws.ct.2 •FedRAMP-Low-Revision-4: ac-3, ac-17, cm-2, sc-7 •FedRamp-Moderate-Revision-4: ac-3, ac-4, ac-6, ac-17-1, ac-21-b, cm-2, sc-4, sc-7-3, sc-7 •FFIEC: d3-pc-im-b-1 •GxP-21-CFR-Part-11: 11.10-c, 11.10-d, 11.10-g, 11.10-k •HIPAA: 164_308_a_1_ii_b, 164_308_a_3_i, 164_312_a_1, 164_312_a_2_i •ISO27001-2022: A.8.1 •KISA-ISMS-P-2023: 2.6.1, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.6.1, 2.6.2, 2.10.2 •MITRE-ATTACK: T1530 •NIST-800-171-Revision-2: 3_1_1, 3_1_2, 3_1_3, 3_3_8, 3_4_6, 3_13_2, 3_13_5 •NIST-800-53-Revision-4: ac_3, ac_4, ac_6, ac_21, sc_7_3, sc_7 •NIST-800-53-Revision-5: ac_2_6, ac_3, ac_3_7, ac_4_21, ac_6, ac_17_b, ac_17_1, ac_17_4_a, ac_17_9, ac_17_10, cm_6_a, cm_9_b, mp_2, sc_7_2, sc_7_3, sc_7_7, sc_7_9_a, sc_7_11, sc_7_12, sc_7_16, sc_7_20, sc_7_21, sc_7_24_b, sc_7_25, sc_7_26, sc_7_27, sc_7_28, sc_7_a, sc_7_b, sc_7_c, sc_25 •NIST-CSF-1.1: ac_3, ac_5, ds_5, ip_8, pt_3 •PCI-4.0: 1.2.8.33, 1.2.8.34, 1.3.1.37, 1.3.1.38, 1.3.2.37, 1.3.2.38, 1.4.2.35, 1.4.2.36, 1.5.1.33, 1.5.1.34, 10.3.2.21, 10.3.2.23, 10.3.3.23, 10.3.4.8, 3.5.1.3.26, 3.5.1.3.28, A1.1.2.17, A1.1.2.19, A1.1.3.33, A1.1.3.34, A1.2.1.31, A3.4.1.19, A3.4.1.21 •RBI-Cyber-Security-Framework: annex_i_1_3 •SOC2: cc_6_1

PASS critical s3 ap-northeast-2 s3_bucket_public_list_acl Ensure there are no S3 buckets listable by Everyone or Any AWS customer. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho is not publicly listable.

Even if you enable all possible bucket ACL options available in the Amazon S3 console the ACL alone does not allow everyone to download objects from your bucket. Depending on which option you select any user could perform some actions.

You can enable block public access settings only for access points, buckets and AWS accounts. Amazon S3 does not support block public access settings on a per-object basis. When you apply block public access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

•AWS-Audit-Manager-Control-Tower-Guardrails: 4.1.1 •AWS-Foundational-Technical-Review: S3-001 •KISA-ISMS-P-2023: 2.5.6, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.6, 2.6.2, 2.10.2 •ProwlerThreatScore-1.0: 2.2.16

PASS critical s3 ap-northeast-2 s3_bucket_public_write_acl Ensure there are no S3 buckets writable by Everyone or Any AWS customer. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho is not publicly writable.

Even if you enable all possible bucket ACL options available in the Amazon S3 console the ACL alone does not allow everyone to download objects from your bucket. Depending on which option you select any user could perform some actions.

You can enable block public access settings only for access points, buckets and AWS accounts. Amazon S3 does not support block public access settings on a per-object basis. When you apply block public access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

•AWS-Foundational-Security-Best-Practices: S3.3 •AWS-Foundational-Technical-Review: S3-001 •KISA-ISMS-P-2023: 2.5.6, 2.6.2, 2.10.2 •KISA-ISMS-P-2023-korean: 2.5.6, 2.6.2, 2.10.2 •PCI-3.2.1: 1.2, 1.2.1, 1.2.1.a, 1.2.1.b, 1.2.1.c, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 7.2, 7.2.1 •PCI-4.0: 1.2.8.35, 1.3.1.39, 1.3.2.39, 1.4.2.37, 1.5.1.35, 10.3.2.24, 3.5.1.3.29, A1.1.2.20, A1.1.3.35, A3.4.1.22 •ProwlerThreatScore-1.0: 2.2.17

FAIL medium s3 ap-northeast-2 s3_bucket_secure_transport_policy Check if S3 buckets have secure transport policy. arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho does not have a bucket policy, thus it allows HTTP requests.

If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network or internet.

Ensure that S3 buckets have encryption in transit enabled.

•AWS-Foundational-Security-Best-Practices: S3.5 •AWS-Foundational-Technical-Review: S3-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC09-BP02 •CISA: your-systems-3, your-data-2 •CIS-1.4: 2.1.2 •CIS-1.5: 2.1.2 •CIS-2.0: 2.1.1 •CIS-3.0: 2.1.1 •CIS-4.0.1: 2.1.1 •CIS-5.0: 2.1.1 •ENS-RD2022: mp.com.1.aws.s3.1, mp.com.3.aws.s3.1 •FedRAMP-Low-Revision-4: ac-17, sc-7 •FedRamp-Moderate-Revision-4: ac-17-2, sc-7, sc-8-1, sc-8, sc-23 •FFIEC: d3-pc-am-b-12, d3-pc-am-b-13, d3-pc-am-b-15 •GDPR: article_32 •GxP-21-CFR-Part-11: 11.10-c, 11.30 •HIPAA: 164_308_a_1_ii_b, 164_312_a_2_iv, 164_312_c_1, 164_312_c_2, 164_312_e_1, 164_312_e_2_i, 164_312_e_2_ii •KISA-ISMS-P-2023: 2.7.1, 2.10.2 •KISA-ISMS-P-2023-korean: 2.7.1, 2.10.2 •MITRE-ATTACK: T1040 •NIST-800-171-Revision-2: 3_1_13, 3_5_10, 3_13_1, 3_13_5, 3_13_8, 3_13_11, 3_13_16 •NIST-800-53-Revision-4: ac_17_2, sc_7, sc_8_1, sc_8 •NIST-800-53-Revision-5: ac_4, ac_4_22, ac_17_2, ac_24_1, au_9_3, ca_9_b, cm_6_a, cm_9_b, ia_5_1_c, pm_11_b, pm_17_b, sc_7_4_b, sc_7_4_g, sc_7_5, sc_8, sc_8_1, sc_8_2, sc_8_3, sc_8_4, sc_8_5, sc_13_a, sc_16_1, sc_23, si_1_a_2 •NIST-CSF-1.1: ds_2 •PCI-4.0: 1.2.5.15, 2.2.5.15, 2.2.7.19, 4.2.1.1.27, 4.2.1.19, 8.3.2.49 •ProwlerThreatScore-1.0: 4.1.1 •RBI-Cyber-Security-Framework: annex_i_1_3

FAIL medium s3 ap-northeast-2 s3_bucket_server_access_logging_enabled Check if S3 buckets have server access logging enabled arn:aws:s3:::testbucketjaeho S3 Bucket testbucketjaeho has server access logging disabled.

Server access logs can assist you in security and access audits, help you learn about your customer base, and understand your Amazon S3 bill.

Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case, this finding can be considered a false positive.

•AWS-Foundational-Security-Best-Practices: S3.9 •AWS-Foundational-Technical-Review: S3-001 •AWS-Well-Architected-Framework-Security-Pillar: SEC04-BP01 •CISA: your-systems-3, your-data-2 •FedRAMP-Low-Revision-4: ac-2, au-2 •FedRamp-Moderate-Revision-4: ac-2-4, ac-2-g, au-2-a-d, au-3, au-6-1-3, au-12-a-c •FFIEC: d2-ma-ma-b-1, d2-ma-ma-b-2, d3-dc-an-b-3, d3-dc-an-b-4, d5-dr-de-b-3 •GxP-21-CFR-Part-11: 11.10-e, 11.10-k •HIPAA: 164_308_a_1_ii_d, 164_308_a_3_ii_a, 164_308_a_6_ii, 164_312_b, 164_312_e_2_i •ISO27001-2022: A.8.15 •KISA-ISMS-P-2023: 2.9.4, 2.10.2 •KISA-ISMS-P-2023-korean: 2.9.4, 2.10.2 •NIS2: 1.1.1.h, 3.2.3.c, 11.2.2.f •NIST-800-171-Revision-2: 3_1_12, 3_3_1, 3_3_2, 3_3_3, 3_6_1, 3_6_2, 3_13_1, 3_14_6, 3_14_7 •NIST-800-53-Revision-4: ac_2, au_2, au_3, au_12 •NIST-800-53-Revision-5: ac_2_4, ac_3_1, ac_3_10, ac_4_26, ac_6_9, au_2_b, au_3_a, au_3_b, au_3_c, au_3_d, au_3_e, au_3_f, au_6_3, au_6_4, au_6_6, au_6_9, au_8_b, au_10, au_12_a, au_12_c, au_12_1, au_12_2, au_12_3, au_12_4, au_14_a, au_14_b, au_14_3, ca_7_b, cm_5_1_b, cm_6_a, cm_9_b, ia_3_3_b, ma_4_1_a, pm_14_a_1, pm_14_b, pm_31, sc_7_9_b, si_1_1_c, si_3_8_b, si_4_2, si_4_17, si_4_20, si_7_8, si_10_1_c •NIST-CSF-1.1: ae_1, ae_3, ae_4, cm_1, cm_3, cm_6, cm_7, am_3, ac_6, ds_5, pt_1 •PCI-3.2.1: 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.4 •PCI-4.0: 10.2.1.1.30, 10.2.1.2.27, 10.2.1.3.27, 10.2.1.4.27, 10.2.1.5.27, 10.2.1.6.27, 10.2.1.7.27, 10.2.1.27, 10.2.2.27, 10.3.1.27, 10.6.3.34, 5.3.4.32, A1.2.1.32 •RBI-Cyber-Security-Framework: annex_i_7_4 •SOC2: cc_7_2, cc_7_3, cc_a_1_1

PASS high s3 ap-northeast-2 s3_bucket_shadow_resource_vulnerability Check for S3 buckets vulnerable to Shadow Resource Hijacking (Bucket Monopoly) arn:aws:s3:::testbucketjaeho S3 bucket testbucketjaeho is not a known shadow resource.

An attacker can pre-create S3 buckets with predictable names used by various AWS services. When a legitimate user's service attempts to use that bucket, it may inadvertently write sensitive data to the attacker-controlled bucket, leading to information disclosure, denial of service, or even remote code execution.

Ensure that all S3 buckets associated with your AWS account are owned by your account. Be cautious of services that create buckets with predictable names. Whenever possible, pre-create these buckets in all regions to prevent hijacking.