s3-secure

s3-secure tool

The s3-secure tool can be used to harden your s3 bucket security posture. The tool is useful if you have a lot of buckets to update. It supports:

• access logs: enabling access logs
• encryption: enabling encryption
• ssl bucket policy: adding an enforce ssl bucket policy
• versioning: enabling bucket versioning

BoltOps Pro Related Blueprints

• S3 Secure: Continuously Auto-Remediates New Buckets.
• Security Controls: Continuously applies the s3-secure remedations as well as other remeidations. IE: Security Groups, SNS topics, etc.

Usage

Summary of encryption commands:

s3-secure encryption list
s3-secure encryption show BUCKET
s3-secure encryption enable BUCKET
s3-secure encryption disable BUCKET

Summary of lifecycle commands:

s3-secure lifecycle list
s3-secure lifecycle show BUCKET
s3-secure lifecycle add BUCKET
s3-secure lifecycle remove BUCKET

Summary of policy commands:

s3-secure policy list
s3-secure policy show BUCKET
s3-secure policy enforce_ssl BUCKET
s3-secure policy unforce_ssl BUCKET

Summary of versioning commands:

s3-secure versioning list
s3-secure versioning show BUCKET
s3-secure versioning enable BUCKET
s3-secure versioning disable BUCKET

Remediate All

To apply all the remeidations:

s3-secure remediate_all BUCKET

For finer-control, run each subcommand instead.

Some Examples with Output

Example of s3-secure encryption enable:

$ s3-secure encryption enable a-test-bucket-in-us-west-1
Encyption enabled on bucket a-test-bucket-in-us-west-1 with rules:
{:apply_server_side_encryption_by_default=>{:sse_algorithm=>"AES256"}}
$

Example of s3-secure policy enforce_ssl:

$ s3-secure policy enforce_ssl a-test-bucket-in-us-west-1
Add bucket policy to bucket a-test-bucket-in-us-west-1:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ForceSSLOnlyAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::a-test-bucket-in-us-west-1/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
$

When removing ssl enforcement from the bucket policy, if there are other policy statements, those are left in tact. Example:

$ s3-secure policy show a-test-bucket-in-us-east-1
Bucket a-test-bucket-in-us-east-1 is configured with this policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::a-test-bucket-in-us-east-1/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "54.240.143.0/24"
        }
      }
    },
    {
      "Sid": "ForceSSLOnlyAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::a-test-bucket-in-us-east-1/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
$ s3-secure policy unforce_ssl a-test-bucket-in-us-east-1
Remove bucket policy statement from bucket a-test-bucket-in-us-east-1:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::a-test-bucket-in-us-east-1/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "54.240.143.0/24"
        }
      }
    }
  ]
}
$

For more help:

s3-secure -h
s3-secure encryption -h
s3-secure encryption enable -h
s3-secure lifecycle -h
s3-secure lifecycle add -h
s3-secure policy -h
s3-secure policy unforce_ssl -h
s3-secure versioning -h
s3-secure versioning enable -h

Batch Commands

There are some supported batch commands:

s3-secure batch encryption enable FILE.txt
s3-secure batch encryption disable FILE.txt
s3-secure batch policy enforce_ssl FILE.txt
s3-secure batch policy unforce_ssl FILE.txt

The format of FILE.txt is a list of bucket names separated by newlines. Example:

buckets.txt:

my-bucket-1
my-bucket-2

Installation

Install with:

gem install s3-secure