MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1530 Data from Cloud Storage |
Rule body yaml
AnalysisType: policy
Filename: aws_s3_bucket_encryption.py
PolicyID: "AWS.S3.Bucket.Encryption"
DisplayName: "AWS S3 Bucket Encryption"
Enabled: true
ResourceTypes:
- AWS.S3.Bucket
Tags:
- AWS
- Data Protection
- Collection:Data From Cloud Storage Object
Reports:
PCI:
- 2.2.3
- 3.4
MITRE ATT&CK:
- TA0009:T1530
Severity: High
Description: >
Ensures that the S3 bucket has encryption enabled.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-s3-encryption-enabled
Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
Tests:
- Name: Bucket Has No Encryption Rules
ExpectedResult: false
Resource:
{
"CreationDate": "2019-01-01T00:00:00Z",
"EncryptionRules": null,
"Grants":
[
{
"Grantee":
{
"DisplayName": "user.name",
"EmailAddress": null,
"ID": "11112223334445556667778899aaabbbcccdddeeee",
"Type": "CanonicalUser",
"URI": null,
},
"Permission": "FULL_CONTROL",
},
{
"Grantee":
{
"DisplayName": null,
"EmailAddress": null,
"ID": null,
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
},
"Permission": "WRITE",
},
],
"LifecycleRules": null,
"Location": "us-east-2",
"LoggingPolicy": null,
"MFADelete": null,
"Name": "bucket-name",
"Owner":
{
"DisplayName": "user.name",
"ID": "11112223334445556667778899aaabbbcccdddeeee",
},
"Policy": null,
"PublicAccessBlockConfiguration":
{
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false,
},
"Versioning": null,
}
- Name: Encryption Is Set
ExpectedResult: true
Resource:
{
"CreationDate": "2019-01-01T00:00:00Z",
"EncryptionRules":
[
{
"ApplyServerSideEncryptionByDefault":
{ "KMSMasterKeyID": null, "SSEAlgorithm": "AES256" },
},
],
"Grants":
[
{
"Grantee":
{
"DisplayName": "user.name",
"EmailAddress": null,
"ID": "11112223334445556667778899aaabbbcccdddeeee",
"Type": "CanonicalUser",
"URI": null,
},
"Permission": "FULL_CONTROL",
},
{
"Grantee":
{
"DisplayName": null,
"EmailAddress": null,
"ID": null,
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
},
"Permission": "WRITE",
},
],
"LifecycleRules": null,
"Location": "us-east-2",
"LoggingPolicy": null,
"MFADelete": null,
"Name": "bucket-name",
"Owner":
{
"DisplayName": "user.name",
"ID": "11112223334445556667778899aaabbbcccdddeeee",
},
"Policy": null,
"PublicAccessBlockConfiguration":
{
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false,
},
"Versioning": null,
}
- Name: SSE Algorithm Is Not Set
ExpectedResult: false
Resource:
{
"CreationDate": "2019-01-01T00:00:00Z",
"EncryptionRules":
[
{
"ApplyServerSideEncryptionByDefault":
{ "KMSMasterKeyID": null, "SSEAlgorithm": null },
},
],
"Grants":
[
{
"Grantee":
{
"DisplayName": "user.name",
"EmailAddress": null,
"ID": "11112223334445556667778899aaabbbcccdddeeee",
"Type": "CanonicalUser",
"URI": null,
},
"Permission": "FULL_CONTROL",
},
{
"Grantee":
{
"DisplayName": null,
"EmailAddress": null,
"ID": null,
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
},
"Permission": "WRITE",
},
],
"LifecycleRules": null,
"Location": "us-east-2",
"LoggingPolicy": null,
"MFADelete": null,
"Name": "bucket-name",
"Owner":
{
"DisplayName": "user.name",
"ID": "11112223334445556667778899aaabbbcccdddeeee",
},
"Policy": null,
"PublicAccessBlockConfiguration":
{
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false,
},
"Versioning": null,
}
Detection logic
Rule logic imperative Python
from panther_base_helpers import deep_get
def policy(resource):
for encryption_rule in resource["EncryptionRules"] or []:
if encryption_rule.get("ApplyServerSideEncryptionByDefault", False):
return (
deep_get(encryption_rule, "ApplyServerSideEncryptionByDefault", "SSEAlgorithm")
is not None
)
return False
The parser cannot express this rule's logic as a field filter; the imperative Python above is the detection.