DEV Community

Discussion on: Avoid This AWS Security Blunder, or Make The News

Collapse
 
andrewbrown profile image
Andrew Brown 🇨🇦

Security Hub is just an aggerate of compliance information from multiple AWS Security or Logging Services so it's not going to help in this case.

What's going to help here is turning on AWS Config and using the off-the-shelf AWS Config rule provided by AWS which will tell you if you have public read and write

AWS Internal Service Zelkova is worth giving a read since it can reason whether your have a public bucket.

Turning on Amazon Macie is a great idea that uses ML to monitor S3.

Pacu is something you'll also want to run against your account to see what you can discover in terms of vulnerabilities around S3.

Collapse
 
scriptautomate profile image
Derek Ardolf • Edited

Wow, awesome recommendations. I have looked at Pacu, heard of Macie, but never knew about Zelkova! Definitely going to take a look.

I'll make the correction about Security Hub. I seem to have misunderstood it to be something more like a suite that included AWS Config, when it's really a viewer of aggregated findings from other services.

EDIT / UPDATE: I didn't know that Zelkova worked as part of the underlying tech for the PUBLIC / not public display labels that eventually appeared within the AWS console in viewing S3, and relevant AWS Config rules. Thanks for the links!

Collapse
 
andrewbrown profile image
Andrew Brown 🇨🇦

Just to clarify when you turn on Security Hub is creates a handful of AWS Config rules for you based on the CIS baseline recommendation. So it does automate the creation of some AWS Config rules for you though just distinguishing that those compliance checks are from AWS Config and not Security Hub.

Thread Thread
 
scriptautomate profile image
Derek Ardolf • Edited

Ah! Okay, that makes more sense