10 best practices for S3 bucket security configuration

Rule GD-001: GuardDuty enabled

Conformity has rule GD-001 for enabling GuardDuty. This rule checks that GuardDuty is enabled in all regions for the security of your AWS environment and infrastructure. Because this rule is a medium-level threat, Conformity encourages compliance.

The result of non-compliance is the potential occurrence and proliferation of malicious activity on your AWS account and infrastructure without your knowledge, such as Recon:EC2/PortProbeUnprotectedPort, UnauthorizedAccess:EC2/SSHBruteForce, or UnauthorizedAccess:IAMUser/MaliciousIPCaller.

To remediate, simply visit GuardDuty to enable and activate it in every region.

Rule GD-002: GuardDuty findings

Conformity also has rule GD-002 that ingests and provides help with managing GuardDuty findings. The threat level is medium. Within your Conformity account, you can have notifications sent over email, SMS, Slack, JIRA, PagerDuty, and ServiceNow. Then, you can lean on the Conformity knowledge base to resolve the findings and achieve continuous security and compliance.

For example, if you have a random port on your EC2 instance, say 30784, that you aren’t using but someone is probing, you check your inbound rules to delist port ranges, input specific port numbers, and restrict access to particular Ips or IP ranges.

5. Use Amazon Macie to scan for sensitive data outside of designated areas

Conformity has the following rules for Amazon Macie service

Rule Macie-001: Amazon Macie

This rule checks that Macie is enabled so that it can scan your S3 buckets to identify sensitive information, such as credit cards, financial records, or personally identifiable information (PII). Macie analyzes access and user behavior patterns then bring this data to your attention.

You can use Macie-001 to help comply with the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) for encryption and pseudonymization of data, as it recognizes PII.