Introduction
Amazon S3 buckets are foundational storage resources in our AWS cloud infrastructure that require stringent access control to maintain security. This document establishes 5X's formal process for periodic review of S3 bucket access permissions, ensuring we follow the principle of least privilege and implement appropriate controls for any buckets requiring public access. This process has been developed in alignment with our SOC 2 Type II compliance requirements and forms a critical component of our overall security posture.
Purpose and Scope
The purpose of this review process is to systematically evaluate all S3 buckets in our AWS environment, verify appropriate access controls, identify potential security risks, and remediate any issues. This process applies to all S3 buckets across all AWS accounts utilized by 5X, regardless of their purpose or the data they contain.
Review Frequency and Responsibility
S3 bucket access reviews will be conducted:
Monthly for buckets containing Customer Data or Company Data Quarterly for all other buckets Ad-hoc whenever significant infrastructure changes occur The Security team, in collaboration with the Engineering Operations team, will be responsible for coordinating and documenting these reviews, with Data Owners participating to validate business requirements.
Review Process
1. Inventory Collection
Before each review cycle, we collect a comprehensive inventory of all S3 buckets across our AWS environment:
The Security team uses AWS Config rules and CloudFormation stack queries to generate a complete list of S3 buckets For each bucket, we capture: Bucket name and AWS account ID Data classification category Current access configuration 2. Access Configuration Analysis
For each identified bucket, we analyze the current access configuration:
Identify any policy statements granting public access Review IAM principals with access and their permission scope Validate conditional statements restricting access Check for overly permissive wildcards or Principal:"*" statements Verify if the bucket uses legacy ACLs Identify any ACL grants to the AllUsers or AuthenticatedUsers groups Document any custom ACL configurations Public access block settings: Check account-level block public access settings Review bucket-level block public access settings Identify any overrides of account-level settings Identify any permissions granted to external AWS accounts Verify legitimacy and necessity of cross-account access Confirm appropriate restrictions on cross-account permissions 3. Risk Evaluation
Based on the access configuration analysis, we evaluate the risk level of each bucket:
Public write access enabled Public read access for sensitive data categories Overly permissive policies (e.g., "Action": "*") Lack of encryption for sensitive data Public read access to non-sensitive data Broad cross-account permissions Minimal conditional restrictions on access Properly restricted access following least privilege Appropriate use of IAM roles and user permissions Strong conditional access policies Proper encryption and logging enabled 4. Business Justification Validation
For any bucket with public access or cross-account sharing enabled:
The Security team contacts the bucket owner to: Confirm the business purpose for the current access configuration Validate the continued need for such access Document the justification in the review record Business justifications are assessed against these criteria: Is public/cross-account access essential for the intended function? Are there more secure alternatives that could achieve the same goal? Is the scope of access appropriately limited to what's necessary? Are compensating controls in place to mitigate associated risks? 5. Remediation Planning and Implementation
For any identified issues or unwarranted access:
The Security team creates remediation tasks categorized by severity: Critical: Immediate remediation required (same day) High: Remediation within 7 days Medium: Remediation within 30 days Low: Remediation or acceptance within 90 days Remediation options typically include: Enabling bucket-level Block Public Access settings Revising bucket policies to remove unnecessary permissions Implementing appropriate IAM roles for access Enabling encryption and access logging Migrating public content to content delivery solutions Implementation and verification: Changes are implemented by the bucket owner or Infrastructure team The Security team verifies the changes resolve the identified issues Any exceptions are documented and approved by the CISO 6. Documentation and Reporting
All review activities are meticulously documented:
Each review cycle generates: A complete inventory report of all S3 buckets Access configuration details for each bucket Risk assessment ratings for each bucket Business justifications for any public or cross-account access Remediation plans for identified issues Implementation status of previous remediation activities Review records are maintained in our Vanta system, with: Timestamped records of review completion Sign-off by the Security team and bucket owners Full audit trail of changes made Documentation of exception approvals Executive summary reports are provided to leadership, highlighting: Overall security posture of S3 storage High-risk findings and remediation status Trends from previous reviews Recommendations for security improvements Technical Implementation
To support and partially automate the review process, we implement multiple technical controls:
1. Continuous Monitoring
s3-bucket-public-read-prohibited s3-bucket-public-write-prohibited s3-bucket-ssl-requests-only s3-bucket-server-side-encryption-enabled Alerts for any changes to bucket policies or ACLs Notifications for new bucket creation Monitoring of Block Public Access setting changes Integration of S3-related security findings Automated security checks against AWS best practices Consolidated view of security posture 2. Automated Inventory Tools
We utilize AWS tools to maintain an accurate inventory:
Cross-account discovery of S3 resources Tag-based resource organization Weekly bucket inventory generation Configuration analysis and comparison to previous state Detection of drift from secure baselines Centralized visualization of bucket inventory Automated remediation actions for common issues 3. Access Visualization and Analysis
To simplify complex access policies, we employ:
Identification of buckets accessible from outside their account Detailed findings on access paths Validation of policy changes before implementation Custom policy visualization tools: Graphical representation of bucket access Identification of overlapping or conflicting permissions Simplified reporting for non-technical stakeholders Best Practices
During each review, we apply these S3 security best practices:
Default to block public access: Enable account-level S3 Block Public Access settings Only disable at bucket level with specific justification Use IAM roles and policies instead of bucket policies when possible: Grant permissions to specific IAM roles rather than broad principals Use resource-based conditions to limit scope Implement least privilege access: Grant only the specific permissions needed (e.g., GetObject instead of * actions) Use path-based restrictions to limit access to specific prefixes Enable default encryption on all buckets Use KMS keys for sensitive data categories Configure access logging for all buckets containing sensitive data Review logs regularly for unauthorized access attempts Use presigned URLs for temporary access: Instead of public access, use time-limited presigned URLs Implement short expiration times appropriate to the use case Enable versioning to protect against accidental deletion Establish lifecycle policies for version management Roles and Responsibilities
The following roles participate in the S3 bucket access review process:
Coordinates the overall review process Performs technical analysis of bucket configurations Identifies security issues and vulnerabilities Validates remediation effectiveness Engineering Operations Team: Provides infrastructure expertise Implements technical controls for monitoring Assists with complex remediation actions Develops automation to support the review process Bucket Owners/Development Teams: Provide business justification for access configurations Implement required changes to bucket policies Validate functionality after security changes Integrate security best practices into development workflows Validate data classification of bucket contents Approve access requirements based on business needs Ensure compliance with data governance policies CISO/Security Leadership: Approves exceptions to security standards Reviews summary findings from each review cycle Ensures alignment with overall security strategy Conclusion
This S3 bucket access review process demonstrates 5X's commitment to maintaining the highest standards of security for our cloud infrastructure. By systematically reviewing access configurations, validating business requirements, and remediating issues, we protect both our company and customer data from unauthorized access while ensuring our systems remain functional and efficient.
The process balances security requirements with operational needs, applying the principle of least privilege while acknowledging legitimate business cases for controlled public access. Through consistent application of this process, 5X maintains compliance with our SOC 2 Type II requirements and enforces AWS best practices across our environment.
