iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that AWS CloudTrail log data is monitored for any changes made to Amazon S3 bucket policies. A CloudWatch metric filter and corresponding alarm must be configured to detect and alert on policy changes such as the addition, modification, or deletion of S3 bucket policies. Monitoring these events is crucial for preventing unauthorized access or accidental exposure of sensitive data stored in S3 buckets.

Rationale:

S3 bucket policies define access permissions for data stored in Amazon S3. Unauthorized or misconfigured policy changes can lead to public exposure, data breaches, or loss of confidentiality. By setting up a log metric filter and alarm for S3 bucket policy changes, organizations can detect and respond quickly to potential misconfigurations, ensuring that access control remains compliant and secure.

Impact:

• Positive Impact:Provides immediate visibility into changes affecting data access and security.Helps prevent accidental or malicious exposure of sensitive data.Supports compliance with data protection and access control frameworks (e.g., CIS, SOC 2, ISO 27001).
• Negative Impact:Slight increase in CloudWatch monitoring and alerting costs.

Default Value:
By default, AWS does not provide a metric filter or alarm for S3 bucket policy changes. Manual setup is required.

Pre-Requisite:

• CloudTrail must be enabled in all regions.
• CloudTrail logs must be delivered to a CloudWatch Logs group.
• IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to CloudWatch → Logs → Log groups.

3. Locate the CloudTrail log group (usually named /aws/cloudtrail/...).

4. Select Create metric filter.

5. Enter the following filter pattern to detect S3 bucket policy changes:

6. Assign a metric name such as S3BucketPolicyChanges.

7. Go to CloudWatch → Alarms → Create alarm.

8. Create an alarm for the S3BucketPolicyChanges metric.

9. Set a threshold (e.g., ≥ 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.

10. Save the configuration.

Implementation Plan

Using AWS Console:

1. Go to CloudWatch → Logs → Log groups.

2. Open the CloudTrail log group.
3. Choose Create metric filter and use the following pattern:
4. Set Metric Name: S3BucketPolicyChanges.
5. Create an Alarm:
   • Metric: S3BucketPolicyChanges
   • Namespace: CISBenchmark
   • Condition: ≥ 1 in 5 minutes
   • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)
6. Save all configurations.

Backout Plan

Using AWS Console:

1. Go to CloudWatch → Alarms.
2. Select the S3BucketPolicyChangesAlarm.
3. Choose Actions → Delete.
4. Go to Logs → Metric Filters.
5. Delete the S3BucketPolicyChanges filter.

References:

• AWS CloudTrail Documentation
• AWS CloudWatch Documentation
• Amazon S3 Bucket Policy Documentation