From cda681784f2a92ad3198e3519838790dbb87d884 Mon Sep 17 00:00:00 2001 From: Achraf MOUSSADEK KABDANI Date: Mon, 10 Mar 2025 18:42:54 +0100 Subject: [PATCH 1/3] add: S3 specific control to prevent long term presigned URLs --- .../S3-Prevent-long-term-presigned-url.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 Service-specific-controls/S3-Prevent-long-term-presigned-url.json diff --git a/Service-specific-controls/S3-Prevent-long-term-presigned-url.json b/Service-specific-controls/S3-Prevent-long-term-presigned-url.json new file mode 100644 index 0000000..0c07dba --- /dev/null +++ b/Service-specific-controls/S3-Prevent-long-term-presigned-url.json @@ -0,0 +1,18 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*", + "Resource": "*", + "Condition": { + "NumericLessThan": { + "s3:signatureAge": [ + "[MAX_SIGNATURE_AGE_IN_MILLISECONDS]" + ] + } + } + } + ] +} \ No newline at end of file From d7e2da6e3c48f0d0fc2c4b503903ca97a0f0a045 Mon Sep 17 00:00:00 2001 From: Achraf MOUSSADEK KABDANI Date: Thu, 13 Mar 2025 17:18:57 +0100 Subject: [PATCH 2/3] update: README service-specific controls --- Service-specific-controls/Service-specific-controls.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Service-specific-controls/Service-specific-controls.md b/Service-specific-controls/Service-specific-controls.md index 99598f3..4e9e978 100644 --- a/Service-specific-controls/Service-specific-controls.md +++ b/Service-specific-controls/Service-specific-controls.md @@ -13,6 +13,7 @@ |Amazon Simple Storage Service (S3)|[Deny users from modifying S3 Block Public Access (Account-Level)](S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access Account level settings.Note: When you apply block public access settings to an account, the settings apply to all AWS Regions globally. This control can be implemented using either SCP or RCP.| |Amazon Simple Storage Service (S3)|[Prevent S3 buckets from being made public (Bucket level)](S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access bucket level settings. This control can be implemented using either SCP or RCP.| |Amazon Simple Storage Service (S3)|[Prevents usage of customer-provided encryption keys (SSE-C) for S3 buckets (Bucket level)](S3-Deny-SSE-C.json) |Deny the use of customer-provided encryption keys (SSE-C) across the organization. This security measure helps ensure all S3 bucket encryption remains under organizational control by denying the use of S3 with SSE-C.| +|Amazon Simple Storage Service (S3)|[Prevents long term presigned URLs](S3-Prevent-long-term-presigned-url.json) |Deny the use of presigned URL with a signature age greater than the configured expiration time.| |AWS Key Management Service (KMS)|[Require an AWS Key Management Service key policy limiting creation of AWS KMS grants to AWS services](KMS-Require-an-AWS-Key-Management-Service-key-policy-limiting-creation-of-AWS-KMS-grants-to-AWS-services.json) |Prevent grants from being assigned directly to principals other than AWS service principals to reduce the opportunities for grant misuse.| |AWS Key Management Service (KMS)|[Deny AWS Key Management Service asymmetric key with RSA key material with key length of 2048 bits](KMS-Deny-AWS-Key-Management-Service-asymmetric-key-with-RSA-key-material-used-for-encryption-with-key-length-of-2048-bits.json) |Stronger RSA keys (3072-bit or 4096-bit) are recommended to provide better security.| |AWS Key Management Service (KMS)|[Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled](KMS-Require-that-an-AWS-KMS-key-is-configured-with-the-bypass-policy-lockout-safety-check-enabled.json) |Deny bypassing the KMS key policy lockout safety check when creating a KMS key or updating its key policy, because bypassing this check increases the risk that a KMS key becomes unmanageable.| From 395373225ebc5c82c37935583f415149ed298a83 Mon Sep 17 00:00:00 2001 From: Achraf MOUSSADEK KABDANI Date: Thu, 13 Mar 2025 17:28:04 +0100 Subject: [PATCH 3/3] update condition for s3 presigned URLs --- .../S3-Prevent-long-term-presigned-url.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Service-specific-controls/S3-Prevent-long-term-presigned-url.json b/Service-specific-controls/S3-Prevent-long-term-presigned-url.json index 0c07dba..7f16a24 100644 --- a/Service-specific-controls/S3-Prevent-long-term-presigned-url.json +++ b/Service-specific-controls/S3-Prevent-long-term-presigned-url.json @@ -7,7 +7,7 @@ "Action": "s3:*", "Resource": "*", "Condition": { - "NumericLessThan": { + "NumericGreaterThan": { "s3:signatureAge": [ "[MAX_SIGNATURE_AGE_IN_MILLISECONDS]" ]