Embedded Files
Allow only Https Access to S3 Bucket
Allow only Https Access to S3 Bucket
{"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/*"
},
{
"Sid": "PublicReadGetObject",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
SCP policy to deny all except eu-west-1 , Approved regions
SCP policy to deny all except eu-west-1 , Approved regions
{
"Effect" : "Deny",
"NotAction" : [
"iam:*",
"organizations:*",
"route53:*"
]
"Resource" : "*",
"Condition" : {
"StringNotEquals" : {
"aws:ReqquestedRegion" : [ "eu-west-1" ]
}
}
}
Not action : to avoid deny for global services like route53 which are not regional
Grant access to the IP Address
Grant access to the IP Address
Update your bucket policy with a condition element that grants access when the request is from the AWS IP addresses. For example, the following bucket policy allows all Amazon S3 actions on awsexamplebucket when the request is from the AWS IP addresses 18.208.0.0/13 and 52.95.245.0/24:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::awsexamplebucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"18.208.0.0/13",
"52.95.245.0/24"
]
}
}
}
]
}
VPC Endpoint Policy
VPC Endpoint Policy
restricting access to the specific S3 Bucket “my_bucket”. A VPC Endpoint(gateway policy) policy is needed:
{
"Statement": [
{
"Sid": "Access-to-my-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"]
}
]
}
Bucket policy for the S3 bucket “my_bucket”, restricting access to the new VPC Endpoint.
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
Control Tower Policies
Prevent deletion of Amazon S3 buckets created by AWS Control Tower in the log archive account.
Policies used to prevent account-level actions through AWS Organizations -SCP
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAUDITBUCKETDELETIONPROHIBITED",
"Effect": "Deny",
"Action": [ "s3:DeleteBucket" ],
"Resource": [ "arn:aws:s3:::aws-controltower*" ],
"Condition": {
"ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" }
} } ]
Protect the integrity of your log archive by using server-side encryption (SSE) with AWS KMS customer master keys (CMKs).
Policies used to prevent account-level actions through AWS Organizations- SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETENCRYPTIONENABLED", "Effect": "Deny", "Action": [ "s3:PutEncryptionConfiguration" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Track log archive access requests using S3 bucket access logging.- SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETLOGGINGENABLED", "Effect": "Deny", "Action": [ "s3:PutBucketLogging" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Protect the integrity of your log archive by ensuring no policy changes happen to the S3 bucket by any user.- SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETPOLICYCHANGESPROHIBITED", "Effect": "Deny", "Action": [ "s3:PutBucketPolicy" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Control access to your log archive's S3 bucket by disallowing public read access. - Config Rule
AWSTemplateFormatVersion: 2010-09-09Description: Configure AWS Config rules to check that your S3 buckets do not allow public accessParameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule'Resources: CheckForS3PublicRead: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket
Control access to your log archive's S3 bucket by disallowing public write access. - Config Rule
AWSTemplateFormatVersion: 2010-09-09Description: Configure AWS Config rules to check that your S3 buckets do not allow public accessParameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule'Resources: CheckForS3PublicWrite: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket
Limit data retention in the log archive using a retention policy that defaults to 365 days. - SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETRETENTIONPOLICY", "Effect": "Deny", "Action": [ "s3:PutLifecycleConfiguration" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Log API activity in a consistent manner by ensuring that your AWS CloudTrail settings do not change. - SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDTRAILENABLED", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": [ "arn:aws:cloudtrail:*:*:trail/aws-controltower-*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Track AWS API call activity within your accounts using AWS CloudTrail, which records call history including the identity of the caller and the time of the call. Enable CloudTrail in all available regions -SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDTRAILENABLED", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": [ "arn:aws:cloudtrail:*:*:trail/aws-controltower-*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Enable integrity validation for CloudTrail log file - Protect the integrity of account activity logs using AWS CloudTrail log file validation, which creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. - SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDTRAILENABLED", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": [ "arn:aws:cloudtrail:*:*:trail/aws-controltower-*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Disallow changes to CloudWatch set up by AWS Control Tower -- Protect the integrity of Amazon CloudWatch configuration set up by AWS Control Tower to monitor your environment. - SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDWATCHEVENTPOLICY", "Effect": "Deny", "Action": [ "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:DisableRule", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/aws-controltower-*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Disallow deletion of AWS Config aggregation authorization - Prevent deletion of AWS Config aggregation authorizations that AWS Control Tower created in the audit account when you set up your landing zone - SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGAGGREGATIONAUTHORIZATIONPOLICY", "Effect": "Deny", "Action": [ "config:DeleteAggregationAuthorization" ], "Resource": [ "arn:aws:config:*:*:aggregation-authorization*" ], "Condition": { "ArnNotLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/AWSControlTowerExecution" }, "StringLike": { "aws:ResourceTag/aws-control-tower": "managed-by-control-tower" } } } ]}
Disallow changes to AWS Config aggregation set up by AWS Control Tower - Protect the integrity of AWS Config aggregation set up by AWS Control Tower to collect configuration and compliance data. - SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGRULETAGSPOLICY", "Effect": "Deny", "Action": [ "config:TagResource", "config:UntagResource" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" }, "ForAllValues:StringEquals": { "aws:TagKeys": "aws-control-tower" } } } ]}
Disallow configuration changes to AWS Config -- Record resource configurations in a consistent manner by ensuring that AWS Config settings don't change.- SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGENABLED", "Effect": "Deny", "Action": [ "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:DeleteRetentionConfiguration", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:PutRetentionConfiguration", "config:StopConfigurationRecorder" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Enable AWS Config in all available regions - Identify configuration changes to AWS resources using AWS Config. - SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGENABLED", "Effect": "Deny", "Action": [ "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:DeleteRetentionConfiguration", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:PutRetentionConfiguration", "config:StopConfigurationRecorder" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ]}
Disallow changes to AWS Config Rules set up by AWS Control Tower - Protect the integrity of AWS Config Rules set up by AWS Control Tower to implement detective guardrails. SCP
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGRULEPOLICY", "Effect": "Deny", "Action": [ "config:PutConfigRule", "config:DeleteConfigRule", "config:DeleteEvaluationResults", "config:DeleteConfigurationAggregator", "config:PutConfigurationAggregator" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" }, "StringEquals": { "aws:ResourceTag/aws-control-tower": "managed-by-control-tower" } } } ]}
Disallow launch of EC2 instance types that are not EBS-optimized Launch Amazon EC2 instances only with an Amazon EBS volume that is performance optimized. EBS-optimized volumes minimize contention between Amazon EBS I/O and other traffic from your instance. - Config Rule
AWSTemplateFormatVersion: 2010-09-09Description: Configure AWS Config rules to check whether EBS optimization is enabled for your EC2 instances that can be EBS-optimizedParameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule'Resources: CheckForEbsOptimizedInstance: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized Source: Owner: AWS SourceIdentifier: EBS_OPTIMIZED_INSTANCE Scope: ComplianceResourceTypes: - AWS::EC2::Instance
Disallow EBS volumes that are unattached to an EC2 instance Do not allow an Amazon EBS volume, a durable, block-level storage device that you can attach to a single EC2 instance, to persist independently from the running life of an EC2 instance. - Config Rule
AWSTemplateFormatVersion: 2010-09-09Description: Configure AWS Config rules to check whether EBS volumes are attached to EC2 instancesParameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' deleteOnTermination: Type: 'String' Default: 'None' Description: 'Check for Delete on termination'Conditions: deleteOnTermination: Fn::Not: - Fn::Equals: - 'None' - Ref: deleteOnTerminationResources: CheckForEc2VolumesInUse: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether EBS volumes are attached to EC2 instances InputParameters: deleteOnTermination: Fn::If: - deleteOnTermination - Ref: deleteOnTermination - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: EC2_VOLUME_INUSE_CHECK Scope: ComplianceResourceTypes: - AWS::EC2::Volume
Enable encryption for EBS volumes attached to EC2 instances - Secure EBS volumes attached to EC2 instances through encryption. -- Config Rule
AWSTemplateFormatVersion: 2010-09-09Description: Configure AWS Config rules to check for encryption of all storage volumes attached to computeParameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule'Resources: CheckForEncryptedVolumes: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether EBS volumes that are in an attached state are encrypted. Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES Scope: ComplianceResourceTypes: - AWS::EC2::Volume
Page updated
Google Sites
Report abuse