Detection rules › Panther
AWS S3 Bucket Public Access Block
Ensures that a Public Access Block Configuration is set for the given S3 bucket.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1530 Data from Cloud Storage |
Rule body yaml
AnalysisType: policy
Filename: aws_s3_bucket_public_access_block.py
PolicyID: "AWS.S3.Bucket.PublicAccessBlock"
DisplayName: "AWS S3 Bucket Public Access Block"
Enabled: true
ResourceTypes:
- AWS.S3.Bucket
Tags:
- AWS
- Data Protection
- Collection:Data From Cloud Storage Object
Reports:
PCI:
- 2.2.3
MITRE ATT&CK:
- TA0009:T1530
Severity: Medium
Description: >
Ensures that a Public Access Block Configuration is set for the given S3 bucket.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-s3-public-access-block-enabled
Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
Tests:
- Name: Public Access Block Configuration Is Not Set
ExpectedResult: false
Resource:
{
"CreationDate": "2019-01-01T00:00:00Z",
"EncryptionRules":
[
{
"ApplyServerSideEncryptionByDefault":
{ "KMSMasterKeyID": null, "SSEAlgorithm": "AES256" },
},
],
"Grants":
[
{
"Grantee":
{
"DisplayName": "user.name",
"EmailAddress": null,
"ID": "11112223334445556667778899aaabbbcccdddeeee",
"Type": "CanonicalUser",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers",
},
"Permission": "WRITE",
},
{
"Grantee":
{
"DisplayName": null,
"EmailAddress": null,
"ID": null,
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
},
"Permission": "WRITE",
},
],
"LifecycleRules": null,
"Location": "us-east-2",
"LoggingPolicy": null,
"MFADelete": null,
"Name": "bucket-name",
"Owner":
{
"DisplayName": "user.name",
"ID": "11112223334445556667778899aaabbbcccdddeeee",
},
"Policy": null,
"PublicAccessBlockConfiguration": null,
"Versioning": null,
}
- Name: Public Access Block Configuration Is Set
ExpectedResult: true
Resource:
{
"CreationDate": "2019-01-01T00:00:00Z",
"EncryptionRules":
[
{
"ApplyServerSideEncryptionByDefault":
{ "KMSMasterKeyID": null, "SSEAlgorithm": "AES256" },
},
],
"Grants":
[
{
"Grantee":
{
"DisplayName": "user.name",
"EmailAddress": null,
"ID": "11112223334445556667778899aaabbbcccdddeeee",
"Type": "CanonicalUser",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers",
},
"Permission": "WRITE",
},
{
"Grantee":
{
"DisplayName": null,
"EmailAddress": null,
"ID": null,
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
},
"Permission": "WRITE",
},
],
"LifecycleRules": null,
"Location": "us-east-2",
"LoggingPolicy": null,
"MFADelete": null,
"Name": "bucket-name",
"Owner":
{
"DisplayName": "user.name",
"ID": "11112223334445556667778899aaabbbcccdddeeee",
},
"Policy": null,
"PublicAccessBlockConfiguration":
{
"BlockPublicAcls": true,
"BlockPublicPolicy": false,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": false,
},
"Versioning": null,
}
Detection logic
Condition
PublicAccessBlockConfiguration not is_not_null
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
PublicAccessBlockConfiguration | is_not_null |