A simple command line tool that checks S3 bucket against (security-) best practices, mainly CIS benchmark based.
The AWS Benchmark section 'Storage' contains the S3 bucket related items, namely:
- 2.1.1 Ensure all S3 buckets employ encryption-at-rest
- 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests
- 2.1.3 Ensure MFA Delete is enable on S3 buckets
- 2.1.4 Ensure all data in Amazon S3 has been discovered (out of scope)
- 2.1.5 Ensure that S3 Buckets are configured with 'Block public access'
- ✖ ✔ BlockPublicAcls (BPA)
- ✖ ✔ BlockPublicPolicy (BPP)
- ✖ ✔ IgnorePublicAcls (IPA)
- ✖ ✔ RestrictPublicBuckets (RPB)
Currently known limitations:
- encryption at rest only checks for default AES256 algorithm and reports false otherwise
$ s3-cisbench --help
s3-csibench is a tool that analyses S3 bucket against CIS benchmark rules.
Usage:
s3-cisbench [flags]
s3-cisbench [command]
Available Commands:
audit Audit S3 buckets against applicable CIS benchmark items
completion Generate the autocompletion script for the specified shell
help Help about any command
list List AWS S3 buckets.
Flags:
-d, --debug Enable verbose logging
-h, --help help for s3-cisbench
Use "s3-cisbench [command] --help" for more information about a command.
The audit command supports dynamic completion of available buckets.
Screenshots below show and early version that didn't yet have all benchmark checks
Usage of json output with leveraging jq for further filtering:
brew tap rollwagen/homebrew-tap
brew install rollwagen/tap/s3-cisbenchTo run directly:
go run github.com/rollwagen/s3-cisbench@latest --helpgit clone https://github.com/rollwagen/s3-cisbench
cd s3-cisbench
make