in src/packs/pci-dss-321.ts [684:757]
private checkS3(node: CfnResource): void {
this.applyRule({
info: 'The S3 bucket does not prohibit public access through bucket level settings - (Control IDs: 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2.2).',
explanation:
'Keep sensitive data safe from unauthorized remote users by preventing public access at the bucket level.',
level: NagMessageLevel.ERROR,
rule: S3BucketLevelPublicAccessProhibited,
node: node,
});
this.applyRule({
info: 'The S3 Buckets does not have server access logs enabled - (Control IDs: 2.2, 10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6).',
explanation:
'Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.',
level: NagMessageLevel.ERROR,
rule: S3BucketLoggingEnabled,
node: node,
});
this.applyRule({
info: 'The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs - (Control IDs: 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2, 2.2.2).',
explanation:
'The management of access should be consistent with the classification of the data.',
level: NagMessageLevel.ERROR,
rule: S3BucketPublicReadProhibited,
node: node,
});
this.applyRule({
info: 'The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs - (Control IDs: 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2, 2.2.2).',
explanation:
'The management of access should be consistent with the classification of the data.',
level: NagMessageLevel.ERROR,
rule: S3BucketPublicWriteProhibited,
node: node,
});
this.applyRule({
info: 'The S3 Bucket does not have replication enabled - (Control IDs: 2.2, 10.5.3).',
explanation:
'Amazon Simple Storage Service (Amazon S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability. CRR enables automatic, asynchronous copying of objects across Amazon S3 buckets to help ensure that data availability is maintained.',
level: NagMessageLevel.ERROR,
rule: S3BucketReplicationEnabled,
node: node,
});
this.applyRule({
info: 'The S3 Bucket does not have default server-side encryption enabled - (Control IDs: 2.2, 3.4, 8.2.1, 10.5).',
explanation:
'Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data.',
level: NagMessageLevel.ERROR,
rule: S3BucketServerSideEncryptionEnabled,
node: node,
});
this.applyRule({
info: 'The S3 Bucket does not require requests to use SSL - (Control IDs: 2.2, 4.1, 8.2.1).',
explanation:
'To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.',
level: NagMessageLevel.ERROR,
rule: S3BucketSSLRequestsOnly,
node: node,
});
this.applyRule({
info: 'The S3 Bucket does not have versioning enabled - (Control ID: 10.5.3).',
explanation:
'Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures.',
level: NagMessageLevel.ERROR,
rule: S3BucketVersioningEnabled,
node: node,
});
this.applyRule({
info: 'The S3 Bucket is not encrypted with a KMS Key by default - (Control IDs: 3.4, 8.2.1, 10.5).',
explanation:
'Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data.',
level: NagMessageLevel.ERROR,
rule: S3DefaultEncryptionKMS,
node: node,
});
}