AWS Config for S3 bucket monitoring

Hi all, let’s monitor S3 buckets, whenever a bucket is publicly accessible for read or write then AWS SNS should send a notification,

What is AWS config??

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

How we are going to use AWS config to monitor S3 buckets???

whenever S3 buckets becomes public (read/ write), enabled object based public accessible policy, then AWS config should notify the bucket, and it should trigger a notification

Pre-requisites:

1. IAM role with SSM
2. SNS topic, subscription
3. AWS config
4. S3 buckets

IAM role with SSM:

we will create a IAM role with pass role policy

1. Goto IAM role, create role → systems manager → Amazon SSM automation role → update tag → mention the role name → create role (name: amazon-ssm-role)
2. Now we need create policy to pass the role
   IAM → policy → create policy → services IAM → PassRole →Resource ARN (role: amazon-ssm-role) → create policy (name: amazon-ssm-passrole-policy)
   policy.json file looks like as below
   {
   “Version”: “2012–10–17”,
   “Statement”: [
   {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: “iam:PassRole”,
   “Resource”: “arn:aws:iam::***:role/amazon-ssm-role”
   }
   ]
   }
3. attach ssm passrole policy to the amazon-ssm-role

IAM role

Create SNS topics and subscriptions:

Here we will create 2 topics, one is for Read access enabled publicly notifications, other is for write access enabled publicly notification.

Goto AWS console → SNS

1. Topic → create topic → standard → Name :aws-config-s3bucket-read-public-monitoring-s3-buckets-notofications → Access policy (edit as shown below)
   {
   “Version”: “2008–10–17”,
   “Id”: “Policy_ID”,
   “Statement”: [
   {
   “Sid”: “AWSConfigSNSPolicy”,
   “Effect”: “Allow”,
   “Principal”: {
   “Service”: “config.amazonaws.com”,
   “AWS”: “arn:aws:iam::***:role/amazon-ssm-role”
   },
   “Action”: “SNS:Publish”,
   “Resource”: “arn:aws:sns:us-east-1:***:aws-config-s3bucket-read-public-monitoring-s3-buckets-notofications”
   }
   ]
   }

create topic

2. Now we will create another topic to get notifications whenever a bucket is enabled with write access public, we will create topic as shown as the above with slight changes in Resource ARN, policy will be

1. {
   “Version”: “2008–10–17”,
   “Id”: “Policy_ID”,
   “Statement”: [
   {
   “Sid”: “AWSConfigSNSPolicy”,
   “Effect”: “Allow”,
   “Principal”: {
   “Service”: “config.amazonaws.com”,
   “AWS”: “arn:aws:iam::***:role/amazon-ssm-role”
   },
   “Action”: “SNS:Publish”,
   “Resource”: “arn:aws:sns:us-east-1:***:aws-config-s3-bucket-write-access-enabled-notification”
   }
   ]
   }
   create topic

we have created 2 topics

Now we will create subscriptions for each topic to send the mails to the recipient

goto subscriptions → create subscriptions → Topic ARN → protocol (email) → end point (recipient mail ID) → create subscriptions
like this we will create 2 subscriptions, one is to get notified whenever bucket read public accessible, other will be notified whenever bucket write public enabled.

once we have created subscriptions, it will send verification mail, and we need to verify it.

AWS subscriptions

Test the SNS topics:

Manually we will trigger the mails to check whether we are able to send the mails properly or not.

1. select topic → click on publish message → enter the required fields → publish message

manually testing SNS topic

we received mail from sns topic

Create AWS Config:

1. Goto AWS console → AWS config → settings → select resources as S3 buckets → Create new role → Delivery method create new S3 bucket → Next

2. in AWS managed rules search for “s3-bucket-public-read-prohibited” and select → confirm

3. Goto rules in config → select the rule → Actions → manage remediation → select automatic → Remediation action will be SNS → Resource ID parameter will be message → under parameters we need to update the ARN of read notification SNS → under role we need to update amazon-ssm-role ARN → save changes

4. same as above point we will create other config rule for the write notification (we need to update the Write notification SNS topic ARN) and save the changes

Test scenarios:

1. Create a test bucket with read/ write
2. Goto S3 bucket, create a new bucket, disable block all public access → create bucket

bucket created

3. Now goto bucket and its permissions update the policy as shown below

{
“Version”: “2012–10–17”,
“Statement”: [
{
“Sid”: “PublicRead”,
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: [
“s3:GetObject”,
“s3:PutObject”,
“s3:*Object”,
“s3:GetObjectVersion”
],
“Resource”: “arn:aws:s3:::testing-aws-config-scenarios/*”
}
]
}

4. goto bucket ACLs → edit → select every one public read → save

enabled public read access

bucket is now public accessible

5. Goto AWS config Rules

Now we are testing for public read enable notifications:
a. select read notification rule

b. goto actions → re-evaluate → at the bottom in resources in scope it will show the bucket name and it should send the mail with the bucket name

SNS sent mail with bucket name

same as the above you can check for write accessible AWS config rules

References:

s3-bucket-public-read-prohibited

s3-bucket-public-write-prohibited

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/