Profile Applicability:

  • Level 2

Description:
Amazon S3 supports event notifications that allow you to trigger actions based on certain events, such as when objects are uploaded, deleted, or modified within a bucket. Enabling event notifications ensures that your applications or services are notified in real-time about changes in your S3 buckets, enabling automated workflows or alerting mechanisms. Event notifications can be sent to Amazon Simple Notification Service (SNS), Simple Queue Service (SQS), or Lambda functions.

Rationale:
Event notifications help in automating processes that need to respond to changes in your S3 bucket, such as logging uploads, processing files as they are uploaded, or alerting when specific actions occur (e.g., unauthorized deletions or uploads). Enabling event notifications ensures that your systems are responsive to changes in real-time and supports operational and security automation.

Impact:
 Pros:

  • Provides real-time monitoring and automation for changes to S3 buckets.

  • Enables seamless integration with AWS services like SNS, SQS, and Lambda for event-driven workflows.

  • Enhances security monitoring by triggering alerts on suspicious activities or changes in the bucket.

  • Improves operational efficiency by automating reactions to specific events.

Cons:

  • Can incur additional costs for SNS, SQS, or Lambda invocations based on the volume of events.

  • Requires proper configuration to avoid excessive notifications or unnecessary triggers.

  • May add complexity to the management of event-driven workflows.

Default Value:
 By default, S3 buckets do not have event notifications enabled. These notifications must be explicitly configured for each event that needs to be tracked.

Pre-requisites:

  • AWS IAM permissions to manage S3 bucket notifications:
         s3:PutBucketNotification
     s3:GetBucketNotification

  • Access to the S3 bucket configurations to enable or check for event notifications.

  • Access to the destination services (SNS, SQS, Lambda) for notifications to be triggered.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. Select the S3 bucket for which you want to check event notifications.

  4. Under the Properties tab, scroll down to the Event notifications section.

  5. Verify if any event notifications are configured. Event types like All object create events, Delete events, or Object restore events should be listed.

  6. If event notifications are not configured, click Create Event Notification and define the events (e.g., upload, delete) and the destination (SNS, SQS, Lambda).

  7. Save the changes and verify that notifications are correctly set up for the required events.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check the current event notification configuration:

    aws s3api get-bucket-notification --bucket <BUCKET_NAME>

  3. If event notifications are not configured, create the event notification:

    aws s3api put-bucket-notification-configuration --bucket <BUCKET_NAME> --notification-configuration file://notification.json

  4. Example notification.json configuration:

    {
  "TopicConfigurations": [
    {
      "TopicArn": "arn:aws:sns:us-east-1:123456789012:MyTopic",
      "Events": [
        "s3:ObjectCreated:*",
        "s3:ObjectRemoved:*"
      ]
    }
  ]
}

  1. Verify the event notification configuration:

    aws s3api get-bucket-notification --bucket <BUCKET_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and select Buckets.

  2. Choose the desired bucket and go to the Properties tab.

  3. Scroll down to Event Notifications and click Create Event Notification.

  4. Configure the event types (e.g., ObjectCreated, ObjectDeleted) and select the destination (e.g., SNS, SQS, or Lambda).

  5. Save the configuration and verify that the notifications are properly set up.

Using AWS CLI:

  1. To enable event notifications for object creation and deletion, use the following configuration:

    aws s3api put-bucket-notification-configuration --bucket <BUCKET_NAME> --notification-configuration file://notification.json

  2. Verify the configuration by running:

    aws s3api get-bucket-notification --bucket <BUCKET_NAME>

Backout Plan:

Using AWS Console:

  1. If event notifications cause issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Properties tab.

  3. In the Event notifications section, remove or modify the notification configurations.

  4. Save the changes and verify that notifications are no longer triggered.

Using AWS CLI:

  1. To remove event notifications for a bucket, run:

    aws s3api put-bucket-notification-configuration --bucket <BUCKET_NAME> --notification-configuration '{}'

  2. Verify that event notifications have been disabled:

    aws s3api get-bucket-notification-configuration --bucket <BUCKET_NAME>


Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

8.1

Ensure S3 buckets have event notifications enabled to track key actions and enhance monitoring and response capabilities.

7.1

3.1

Enable event notifications for critical infrastructure, including S3, to automate responses and monitor for suspicious or critical events.