Security Hub is just an aggerate of compliance information from multiple AWS Security or Logging Services so it's not going to help in this case.
What's going to help here is turning on AWS Config and using the off-the-shelf AWS Config rule provided by AWS which will tell you if you have public read and write
AWS Internal Service Zelkova is worth giving a read since it can reason whether your have a public bucket.
Turning on Amazon Macie is a great idea that uses ML to monitor S3.
Pacu is something you'll also want to run against your account to see what you can discover in terms of vulnerabilities around S3.
Posts about Dendron / Docs as Code / DevOps / Linux / AWS / PowerShell / Python / Automating All The Things. Opinions expressed are my own, not those of my employer.
Wow, awesome recommendations. I have looked at Pacu, heard of Macie, but never knew about Zelkova! Definitely going to take a look.
I'll make the correction about Security Hub. I seem to have misunderstood it to be something more like a suite that included AWS Config, when it's really a viewer of aggregated findings from other services.
EDIT / UPDATE: I didn't know that Zelkova worked as part of the underlying tech for the PUBLIC / not public display labels that eventually appeared within the AWS console in viewing S3, and relevant AWS Config rules. Thanks for the links!
Just to clarify when you turn on Security Hub is creates a handful of AWS Config rules for you based on the CIS baseline recommendation. So it does automate the creation of some AWS Config rules for you though just distinguishing that those compliance checks are from AWS Config and not Security Hub.
Posts about Dendron / Docs as Code / DevOps / Linux / AWS / PowerShell / Python / Automating All The Things. Opinions expressed are my own, not those of my employer.
Security Hub is just an aggerate of compliance information from multiple AWS Security or Logging Services so it's not going to help in this case.
What's going to help here is turning on AWS Config and using the off-the-shelf AWS Config rule provided by AWS which will tell you if you have public read and write
AWS Internal Service Zelkova is worth giving a read since it can reason whether your have a public bucket.
Turning on Amazon Macie is a great idea that uses ML to monitor S3.
Pacu is something you'll also want to run against your account to see what you can discover in terms of vulnerabilities around S3.
Wow, awesome recommendations. I have looked at Pacu, heard of Macie, but never knew about Zelkova! Definitely going to take a look.
I'll make the correction about Security Hub. I seem to have misunderstood it to be something more like a suite that included AWS Config, when it's really a viewer of aggregated findings from other services.
EDIT / UPDATE: I didn't know that Zelkova worked as part of the underlying tech for the PUBLIC / not public display labels that eventually appeared within the AWS console in viewing S3, and relevant AWS Config rules. Thanks for the links!
Just to clarify when you turn on Security Hub is creates a handful of AWS Config rules for you based on the CIS baseline recommendation. So it does automate the creation of some AWS Config rules for you though just distinguishing that those compliance checks are from AWS Config and not Security Hub.
Ah! Okay, that makes more sense