---
layout: default
---
## Amazon Simple Storage Service (S3)
| Identifier | Guardrail | Rationale | Remediation | References | Policy | IAM Actions |
|:------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| IAM-S3-1 | Check that the S3 VPC Endpoint Policy is scoped appropriately. | A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you do not attach a policy when you create an endpoint, a default policy will be attached for you that allows full access to the service. The VPC Endpoint policy is an opportunity for you to block any unauthorized access. Consider specifying only authorized permissions. Also, consider utilizing condition keys to further scope authorized access. | Scope the VPC Endpoint Policy, for example use the condition key use the condition key such as aws:PrincipalOrgID. | [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html)
[https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid)
| VPC Endpoint Policy | |
| IAM-S3-2 | Check that the ability to get sensitive or classified information in S3 Objects is for authorized principals only. | Access to sensitive data must only be access to authorized principals. Unauthorized principals that are able to get S3 Objects would be able to read sensitive data and violate security policy. | Options include Complete removal of unauthorized principals from s3:GetObject. Scoping using condition keys to contain principal access to authorized S3 objects only. Encrypt at rest the S3 objects using a customer managed AWS CMKs to provide defense in depth. If the key policy prevents the unauthorized principal fro decrypting the data, then the unauthorized principal will not be able to decrypt the data, even if there were able to download the S3 object. | [https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/](https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/)
[https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-GetObject](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-GetObject)
| nan | [s3:GetObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html)
|
| IAM-S3-3 | Check that frequently accessed data is stored in the appropriate S3 storage class. | S3 provides varying storage classes that trade off retrieval time and cost. Glacier incurs a first byte delay on the order of minutes or hours. S3 One Zone-IA has reduced availability zones. It’s important that sensitive data is stored according to the desired availability and retrieval requirements. | Specify the storage class condition key ‘s3:x-amz-storage-class’ on PutObject to specify the authorized storage classes for specific S3 Buckets. | [https://aws.amazon.com/s3/storage-classes/](https://aws.amazon.com/s3/storage-classes/)
[https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-s3_x-amz-storage-class https://answers.amazon.com/questions/88994](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-s3_x-amz-storage-class https://answers.amazon.com/questions/88994)
| nan | |
| IAM-S3-4 | Check that the management of your S3 buckets and objects is for authorized principals only. | It is important that access control to the management of your S3 buckets and principals is only performed by your authorized principals. Protect against unauthorized modifications or changes to your sensitive data in your S3 buckets by limiting access to only your administrative principals. | | [https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/](https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/)
[https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-GetObject](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-GetObject)
| nan | [s3:AbortMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html)
[s3:BypassGovernanceRetention](https://docs.aws.amazon.com/AmazonS3/latest/API/API_BypassGovernanceRetention.html)
[s3:CreateAccessPoint](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateAccessPoint.html)
[s3:CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html)
[s3:CreateJob](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateJob.html)
[s3:DeleteAccessPoint](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteAccessPoint.html)
[s3:DeleteAccessPointPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteAccessPointPolicy.html)
[s3:DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html)
[s3:DeleteBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html)
[s3:DeleteBucketWebsite](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketWebsite.html)
[s3:DeleteObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html)
[s3:DeleteObjectTagging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjectTagging.html)
[s3:DeleteObjectVersion](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjectVersion.html)
[s3:DeleteObjectVersionTagging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjectVersionTagging.html)
[s3:ObjectOwnerOverrideToBucketOwner](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ObjectOwnerOverrideToBucketOwner.html)
[s3:PutAccelerateConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutAccelerateConfiguration.html)
[s3:PutAccessPointPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutAccessPointPolicy.html)
[s3:PutAccountPublicAccessBlock](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutAccountPublicAccessBlock.html)
[s3:PutAnalyticsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutAnalyticsConfiguration.html)
[s3:PutBucketAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html)
[s3:PutBucketCORS](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCORS.html)
[s3:PutBucketLogging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html)
[s3:PutBucketNotification](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketNotification.html)
[s3:PutBucketObjectLockConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketObjectLockConfiguration.html)
[s3:PutBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html)
[s3:PutBucketPublicAccessBlock](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPublicAccessBlock.html)
[s3:PutBucketRequestPayment](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketRequestPayment.html)
[s3:PutBucketTagging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketTagging.html)
[s3:PutBucketVersioning](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html)
[s3:PutBucketWebsite](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html)
[s3:PutEncryptionConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutEncryptionConfiguration.html)
[s3:PutInventoryConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutInventoryConfiguration.html)
[s3:PutLifecycleConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutLifecycleConfiguration.html)
[s3:PutMetricsConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutMetricsConfiguration.html)
[s3:PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html)
[s3:PutObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html)
[s3:PutObjectLegalHold](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html)
[s3:PutObjectRetention](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectRetention.html)
[s3:PutObjectTagging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectTagging.html)
[s3:PutObjectVersionAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectVersionAcl.html)
[s3:PutObjectVersionTagging](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectVersionTagging.html)
[s3:PutReplicationConfiguration](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutReplicationConfiguration.html)
[s3:ReplicateDelete](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ReplicateDelete.html)
[s3:ReplicateObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ReplicateObject.html)
[s3:ReplicateTags](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ReplicateTags.html)
[s3:RestoreObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html)
[s3:UpdateJobPriority](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateJobPriority.html)
[s3:UpdateJobStatus](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateJobStatus.html)
|