Automatically remediate soft configurations for S3 Bucket
Description
This playbook describes how to solve soft misconfiguration over S3 bucket.
The script has a revert option where you can always revert some specific actions.
The execution is based on AWS credentials configuration based on the following fallbacks:
- If AWS profile or AWS access key and secret were given, use it as an AWS credentials source.
- If no profile, use environment variable credentials for AWS.
- If no environmental variables are provided, use the current ~/.aws configuration.
After authentication via AWS API, the script execution will run on the same AWS account of those credentials defined in fallbacks 1–3.
This solution provides a flexible and reliable approach to aws config remediation, particularly for security-sensitive operations on Amazon S3 buckets. By supporting granular S3 security operations such as MFA delete, versioning, and access controls, it aligns well with aws config s3 best practices. Teams looking to implement auto remediation aws workflows can incorporate this script into event-driven automation pipelines (e.g., via AWS Config rules and Lambda triggers), ensuring ongoing compliance and minimal manual effort. It’s especially suited for DevOps and SecOps teams aiming to scale secure S3 usage across multiple environments.
Severity Level
High — This playbook remediates critical S3 misconfigurations that can lead to data breaches or compliance failures, making it essential for secure and reliable aws config remediation and auto remediation aws practices.
Prerequisites
- AWS credentials defined on the execution machine with permission to change SecurityGroups.
- Python v3.6 and above with the
boto3package installed (pip install boto3).
Playbook steps:
- Based on the given action, the script will run the relevant API call.
- Some actions may require additional parameters, provided via the
actionParmasproperty:
- For action – server_logging:
{"target_bucket": "The name of the S3 bucket that will contain the logs"}
- For action – encryption:
{"kms": "The ARN of the KMS managed key to use"} - For action – mfa_protection:
{"mfa": "The concatenation of the authentication device’s serial number, a space, and the MFA code"}Example:{"mfa": "arn:aws:iam::123456789:mfa/bob 572055"} - Bucket Configure public access (optional):
Parameters such asBlockPublicAcls,IgnorePublicAcls,BlockPublicPolicy, orRestrictPublicBuckets(True/False).
Script Help Page
Welcome To S3 soft remediation
Dependencies:
This script handles soft configuration to remediate S3 misconfigurations.
Supported Actions:
1. Bucket Server-side Logging
Params: {"target_bucket": "<Target S3 bucket for logs>"}
2. Bucket Server-side Encryption
Params: {"kms": "<KMS key ARN>"}
3. Bucket Versioning
4. Bucket MFA Deletion Protection
Params: {"mfa": "<Device serial number and MFA code>"}
Example: {"mfa": "arn:aws:iam::123456789:mfa/bob 572055"}
5. Bucket Configure Public Access
Optional Params: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets (True/False)
AWS Docs Reference:
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html
Execution Examples
python3 S3_Soft_Configuration_Handler.py --profile <aws_profile> --action <S3 action> --bucketNames <S3 bucket name> \
--actionParmas <key-value dictionary of action parameters> --revert <true/false>
Examples:
python3 S3_Soft_Configuration_Handler.py --profile myProfile --action server_logging --bucketNames myBucket \
--actionParmas {"target_bucket":"logBucket"} --revert false
python3 S3_Soft_Configuration_Handler.py --profile myProfile --action encryption --bucketNames myBucket \
--actionParmas {"kms":"arn:aws:kms:region:acct:key/id"} --revert false
python3 S3_Soft_Configuration_Handler.py --profile myProfile --action versioning --bucketNames myBucket --revert false
python3 S3_Soft_Configuration_Handler.py --profile myProfile --action mfa_protection --bucketNames myBucket \
--actionParmas {"mfa":"arn:aws:iam::123456789:mfa/bob 572055"} --revert false
Parameter Usage
- logLevel: The logging level (optional). Default is
Info. - profile: AWS profile to use for script execution.
- action: The S3 action to execute (
server_logging,encryption,versioning,mfa_protection).
Note: Formfa_protection, execution must occur as the root user as per AWS requirements.
AWS MFA Deletion Documentation - bucketNames: A comma-separated list of bucket names (e.g.,
b1,b2,b3). - actionParmas: Key-value dictionary of action-specific parameters.
- revert: Boolean flag to indicate if the action should be reversed.
FAQ
What is soft misconfiguration in Amazon S3, and why is it important to remediate it?
Soft misconfigurations refer to improper S3 bucket settings that don’t break functionality but pose security or compliance risks. Addressing these through tools like this playbook ensures aws config remediation and supports best practices for aws config s3 compliance. It helps reduce exposure and maintain secure configurations automatically.
How does this script support auto remediation in AWS environments?
The script automates actions like enabling server-side encryption, MFA delete, and access control settings. It can be integrated into workflows for auto remediation aws, ensuring quick resolution of configuration drift. This contributes to reliable and repeatable aws config remediation across your S3 environments.
Can this tool be integrated with AWS Config for automatic remediation of S3 issues?
Yes, the script is designed to handle aws config s3 issues programmatically. It can be invoked by AWS Lambda functions or event-driven workflows triggered by AWS Config rules, making it ideal for building auto remediation aws pipelines that align with aws config remediation policies.
What AWS permissions are required for successful execution of the remediation script?
The machine running the script must have AWS credentials with permissions to change S3 SecurityGroups. These credentials ensure that the aws config remediation steps succeed and allow automation frameworks to perform auto remediation aws actions in accordance with aws config s3 policies.
How do I use this tool to enforce AWS Config S3 compliance rules?
By executing this script as part of a CI/CD pipeline or triggered by AWS Config, you can auto-apply S3 configuration changes. It ensures aws config remediation aligns with organization standards and supports auto remediation aws for maintaining compliant aws config s3 settings.
Is it possible to revert remediation actions, and how is that managed?
--revert flag that lets users reverse previously executed actions. This feature is useful when testing or rolling back aws config remediation steps, especially in automated auto remediation aws workflows involving aws config s3 bucket configurations.
Does this playbook support multi-account or cross-region S3 remediation?
The script runs using the AWS credentials provided via profile, environment, or default configuration. While multi-account support isn’t explicitly mentioned, switching profiles allows applying aws config remediation across accounts. This supports auto remediation aws goals in aws config s3 use cases.
What are some common use cases for automating S3 security configurations with this script?
Common use cases include enforcing encryption, MFA delete, public access blocks, and logging. These tasks contribute to aws config remediation and help achieve auto remediation aws outcomes by ensuring aws config s3 policies are enforced consistently across all buckets.
