1

I deployed a NIST CSF conformance pack on my AWS account, via AWS Config, to improve my security posture. One of my resources was non-compliant due to the s3-bucket-policy-grantee-check not passing. Firstly, I do not understand what it means in plain English despite reading it several times (I was hoping someone could simply the language for me even more).

I have the following bucket policy but cannot seem to figure out why I can't get rid of this violation:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::cis-alarms-<account-number>"
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::cis-alarms-<account-number>/AWSLogs/<account-number>/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::cis-alarms-<account-number>",
                "arn:aws:s3:::cis-alarms-<account-number>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

What am I doing wrong?

PS. This is for a bucket that was provisioned when I created a trail on CloudTrail, and it created this bucket as a trail log bucket.

kryogenic1
  • 166
  • 1
  • 2
  • 15
  • What input parameters did you use for the rule? – Marcin Aug 17 '21 at 03:21
  • @Marcin I didn't use any. There wasn't an option for this rule to add input rules via manually/automatically managing the remediation. I attempted to solve this by adding the final statement of AllowSSLRequestsOnly, but not I realize it doesn't make sense at all, it's for allowing SSL requests only and not restricting the bucket to AWS principals, users, etc. Let me try to add a statement to enable IAM users to access this bucket and post an update in the comments section. – kryogenic1 Aug 17 '21 at 03:35
  • @Marcin nope, didn't work lol – kryogenic1 Aug 17 '21 at 03:54
  • @Marcin let me clarify. I deployed a conformance pack with this rule pre-made. There wasn't an option to add input parameters. By default, this rule was non-compliant. Any ideas on how to go about resolving this? – kryogenic1 Aug 17 '21 at 23:46
  • Sorry. Don't know more ideas except my previous comment. – Marcin Aug 17 '21 at 23:47
  • 1
    @Marcin I figured it out. Because I deployed this rule through a conformance pack, I wasn't able to edit the role because it is attached to a service-linked role which prevents any edits/deletes to the rules within the conformance pack. When I deployed the rule on its own and put in the necessary inputs (servicePrincipals & awsPrincipals) it worked like a charm and I was able to get rid of the violation. – kryogenic1 Aug 18 '21 at 05:18
  • Glad to hear it worked out. You can answer your own question and accept it as well. – Marcin Aug 18 '21 at 05:20
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/236118/discussion-between-islam-elkadi-and-marcin). – kryogenic1 Aug 18 '21 at 05:24

2 Answers2

1

I figured out what was going on. Because I deployed this rule through a conformance pack, I wasn't able to edit the role because it is attached to a service-linked role which prevents any edits/deletes to the rules within the conformance pack. When I deployed the rule on its own and put in the necessary inputs (servicePrincipals & awsPrincipals) it worked like a charm and I was able to get rid of the violation.

kryogenic1
  • 166
  • 1
  • 2
  • 15
0

The issue is indeed that you need to set the correct principles on the Config Rule. It is possible to configure these settings on the AWS Conformance Pack using Cloudformation using the InputParameters property. For example:

ConformancePackCis:
  Type: AWS::Config::ConformancePack
  Properties:
    ConformancePackName: CISAWSFoundationsBenchmarkLevel2
    TemplateBody: !Sub |-
      Resources:
        S3BucketPolicyGranteeCheck:
          Properties:
            ConfigRuleName: s3-bucket-policy-grantee-check
            InputParameters:
              servicePrincipals: "logging.s3.amazonaws.com"
              awsPrincipals: "${AWS::AccountId},arn:aws:iam::cloudfront:user/*"
            Scope:
              ComplianceResourceTypes:
              - AWS::S3::Bucket
            Source:
              Owner: AWS
              SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
          Type: AWS::Config::ConfigRule
Vincent
  • 88
  • 5