This document provides a comprehensive overview of the compliance frameworks and security checks supported by the S3 Security Scanner.
The tool currently supports nine major compliance frameworks:
| Framework | Version | Official Documentation |
|---|---|---|
| CIS AWS Foundations Benchmark | v3.0.0 | CIS Benchmarks • AWS Security Hub Docs |
| AWS Foundational Security Best Practices (FSBP) | v1.0.0 | AWS FSBP Documentation |
| PCI DSS | v4.0 | AWS PCI DSS Whitepaper • AWS Config PCI DSS 4.0 |
| HIPAA Security Rule | 45 CFR Part 164 | AWS HIPAA Conformance Pack • GitHub Template |
| SOC 2 Type II | 2017 TSC (2022 Update) | AICPA SOC 2 |
| ISO 27001 | 2022 | ISO Official Standard |
| ISO 27017 | 2015 | ISO Official Standard • AWS ISO 27017 FAQ |
| ISO 27018 | 2019 | ISO Official Standard |
| GDPR | (EU) 2016/679 | EUR-Lex Official Text • GDPR Info |
Official Documentation: CIS Benchmarks | AWS Security Hub CIS Standard
Coverage: 6/6 S3-related controls (100%)
Note: CIS Benchmark v5.0.0 is now available. This tool implements v3.0.0 controls which remain valid and are fully supported by AWS Security Hub.
| Control ID | Description | Severity | Status |
|---|---|---|---|
| S3.1 | S3 buckets should have block public access settings enabled | HIGH | ✅ |
| S3.5 | S3 buckets should require requests to use SSL | MEDIUM | ✅ |
| S3.8 | S3 buckets should block public access | HIGH | ✅ |
| S3.20 | S3 buckets should have MFA delete enabled | MEDIUM | ✅ |
| S3.22 | S3 buckets should have object-level logging for write events | LOW | ✅ |
| S3.23 | S3 buckets should have object-level logging for read events | LOW | ✅ |
Official Documentation: AWS FSBP Standard | S3 Controls Reference
Coverage: 11/11 S3-related controls (100%)
| Control ID | Description | Severity | Status |
|---|---|---|---|
| S3.1 | S3 general purpose buckets should have block public access settings enabled | HIGH | ✅ |
| S3.2 | S3 general purpose buckets should block public read access | HIGH | ✅ |
| S3.3 | S3 general purpose buckets should block public write access | HIGH | ✅ |
| S3.5 | S3 general purpose buckets should require requests to use SSL | MEDIUM | ✅ |
| S3.6 | S3 general purpose bucket policies should restrict access to other AWS accounts | HIGH | ✅ |
| S3.8 | S3 general purpose buckets should block public access | HIGH | ✅ |
| S3.9 | S3 general purpose buckets should have server access logging enabled | LOW | ✅ |
| S3.12 | ACLs should not be used to manage user access to S3 general purpose buckets | MEDIUM | ✅ |
| S3.13 | S3 general purpose buckets should have Lifecycle configurations | LOW | ✅ |
| S3.19 | S3 access points should have block public access settings enabled | HIGH | ✅ |
| S3.24 | S3 Multi-Region Access Points should have block public access settings enabled | HIGH | ✅ |
Enhanced Access Control (S3.2, S3.3, S3.8):
- Comprehensive public access detection through multiple layers
- Bucket policy analysis for public permissions
- ACL grants analysis for public read/write access
- Block public access settings validation
Cross-Account Security (S3.6):
- Detection of cross-account access permissions in bucket policies
- Analysis of external account principals
- Validation of proper access restrictions
ACL Management (S3.12):
- Detection of ACL grants beyond standard owner permissions
- Identification of buckets using ACLs for access management
- Recommendation to use bucket policies instead
Advanced Infrastructure (S3.19, S3.24):
- S3 Access Points public access block validation
- Multi-Region Access Points security configuration
- Account-level access point security assessment
Official Documentation: PCI DSS v4.0 Whitepaper | AWS Config PCI DSS 4.0 | AWS Security Hub PCI DSS
Coverage: 10/10 S3-related controls (100%)
Important Note: PCI DSS v4.0 does not define specific S3 controls. The controls below are AWS Config rules recommended by AWS for PCI DSS compliance environments. These implement AWS security best practices that support PCI DSS cardholder data protection requirements.
| Control ID | AWS Config Rule | Description | Severity | Status |
|---|---|---|---|---|
| S3.1 | s3-bucket-public-access-prohibited | S3 buckets should prohibit public access | HIGH | ✅ |
| S3.5 | s3-bucket-ssl-requests-only | S3 buckets should require requests to use SSL | HIGH | ✅ |
| S3.8 | s3-bucket-public-read-prohibited | S3 buckets should prohibit public read access | HIGH | ✅ |
| S3.9 | s3-bucket-logging-enabled | S3 buckets should have access logging configured | HIGH | ✅ |
| S3.15 | s3-bucket-default-lock-enabled | S3 buckets should have object lock enabled | MEDIUM | ✅ |
| S3.17 | s3-bucket-server-side-encryption-enabled | S3 buckets should have server-side encryption enabled | HIGH | ✅ |
| S3.19 | s3-bucket-public-write-prohibited | S3 buckets should prohibit public write access | HIGH | ✅ |
| S3.22 | s3-bucket-level-public-access-prohibited | S3 bucket level public access should be prohibited | HIGH | ✅ |
| S3.23 | s3-bucket-versioning-enabled | S3 buckets should have versioning enabled | MEDIUM | ✅ |
| S3.24 | s3-bucket-replication-enabled | S3 buckets should have cross-region replication enabled | LOW | ✅ |
Cardholder Data Protection (Requirements 3 & 4):
- S3.5: Enforces encryption in transit through SSL/TLS requirements
- S3.17: Ensures encryption at rest for stored cardholder data
- S3.15: Protects audit trails from unauthorized modification via Object Lock
Access Controls (Requirement 7):
- S3.1, S3.8, S3.19, S3.22: Comprehensive public access prevention
- S3.23: Enables versioning for data integrity and recovery
Monitoring and Logging (Requirement 10):
- S3.9: Provides access logging for cardholder data access tracking
- S3.24: Ensures backup and disaster recovery through replication
These controls map to PCI DSS requirements as follows:
- Requirement 3.4: Encryption in transit → S3.5
- Requirement 3.4.2: Encryption at rest → S3.17
- Requirement 7: Access controls → S3.1, S3.8, S3.19, S3.22
- Requirement 10.2: Audit logging → S3.9
- Requirement 10.5.2: Audit trail protection → S3.15
Official Documentation: HIPAA Conformance Pack | GitHub Template | 45 CFR Part 164
Coverage: 7/7 S3-related controls (100%)
Important Note: HIPAA Security Rule does not define specific S3 controls. The controls below are AWS Config rules from the HIPAA Security Rule Conformance Pack recommended by AWS for HIPAA compliance environments.
| Control ID | AWS Config Rule | HIPAA Section | Description | Severity | Status |
|---|---|---|---|---|---|
| s3-bucket-server-side-encryption-enabled | s3-bucket-server-side-encryption-enabled | §164.312(a)(2)(iv) | S3 buckets should have server-side encryption enabled | HIGH | ✅ |
| s3-bucket-ssl-requests-only | s3-bucket-ssl-requests-only | §164.312(e)(1) | S3 buckets should require requests to use SSL | HIGH | ✅ |
| s3-bucket-logging-enabled | s3-bucket-logging-enabled | §164.312(b) | S3 buckets should have access logging configured | HIGH | ✅ |
| s3-bucket-public-read-prohibited | s3-bucket-public-read-prohibited | §164.312(a)(1) | S3 buckets should prohibit public read access | HIGH | ✅ |
| s3-bucket-public-write-prohibited | s3-bucket-public-write-prohibited | §164.312(a)(1) | S3 buckets should prohibit public write access | HIGH | ✅ |
| s3-bucket-versioning-enabled | s3-bucket-versioning-enabled | §164.308(a)(7)(ii)(A) | S3 buckets should have versioning enabled | MEDIUM | ✅ |
| s3-bucket-default-lock-enabled | s3-bucket-default-lock-enabled | §164.308(a)(1)(ii)(D) | S3 buckets should have object lock enabled | MEDIUM | ✅ |
PHI Data Protection (§164.312(a)(2)(iv) & §164.312(e)(1)):
- s3-bucket-server-side-encryption-enabled: Ensures encryption at rest for stored PHI
- s3-bucket-ssl-requests-only: Enforces encryption in transit through SSL/TLS requirements
Access Controls (§164.312(a)(1)):
- s3-bucket-public-read-prohibited: Prevents unauthorized access to PHI through public read permissions
- s3-bucket-public-write-prohibited: Prevents unauthorized modification of PHI through public write permissions
Audit Controls (§164.312(b)):
- s3-bucket-logging-enabled: Provides access logging for tracking PHI access and modifications
Data Backup and Security (§164.308(a)(7)(ii)(A) & §164.308(a)(1)(ii)(D)):
- s3-bucket-versioning-enabled: Enables data backup and recovery for PHI
- s3-bucket-default-lock-enabled: Protects audit trails and critical PHI from unauthorized deletion
These controls map to HIPAA Security Rule requirements as follows:
- §164.312(a)(2)(iv): Encryption and decryption → s3-bucket-server-side-encryption-enabled
- §164.312(e)(1): Transmission security → s3-bucket-ssl-requests-only
- §164.312(b): Audit controls → s3-bucket-logging-enabled
- §164.312(a)(1): Access control → s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited
- §164.308(a)(7)(ii)(A): Data backup plan → s3-bucket-versioning-enabled
- §164.308(a)(1)(ii)(D): Assigned security responsibility → s3-bucket-default-lock-enabled
Note: This implementation focuses on S3-specific technical controls from the AWS Config HIPAA Security Rule Conformance Pack. HIPAA has additional administrative and physical safeguards that are outside the scope of S3 bucket configuration scanning, such as:
- Risk assessments and management (§164.308(a)(1)(i))
- Workforce access management (§164.308(a)(3))
- Application-level session controls (§164.308(a)(5))
- Comprehensive identity management (§164.312(a)(2)(i))
- Cross-system integrity protection (§164.312(d))
These controls require organizational processes, documentation review, and multi-system analysis that extend beyond automated S3 security scanning.
Official Documentation: AICPA SOC 2 | Trust Services Criteria (2017, revised 2022)
Coverage: 12 controls supporting TSC (Variable compliance based on selected criteria)
Important Note: SOC 2 is a flexible framework where organizations choose which Trust Service Criteria (TSC) to implement based on their business needs. The Security criteria (CC) is mandatory for all SOC 2 engagements, while Availability (A), Confidentiality (C), Processing Integrity (PI), and Privacy (P) are optional.
- Security (CC) - 6 controls (Mandatory for all SOC 2)
- Availability (A) - 3 controls (Optional)
- Confidentiality (C) - 1 control (Optional)
- Processing Integrity (PI) - 1 control (Optional)
- Privacy (P) - 1 control (Optional)
| Control ID | TSC Reference | Description | Severity | Status |
|---|---|---|---|---|
| SOC2-CC-ENCRYPTION-REST | CC6.6 - Data Encryption | S3 buckets must have server-side encryption enabled | HIGH | ✅ |
| SOC2-CC-ENCRYPTION-TRANSIT | CC6.6 - Data Encryption | S3 buckets must enforce SSL/TLS for data in transit | HIGH | ✅ |
| SOC2-CC-ACCESS-CONTROL | CC6.1 - Logical Access | S3 buckets must have proper access controls and block public access | HIGH | ✅ |
| SOC2-CC-MFA-REQUIREMENTS | CC6.2 - User Authentication | S3 buckets should require MFA for sensitive operations | MEDIUM | ✅ |
| SOC2-CC-AUDIT-LOGGING | CC7.2 - Security Events | S3 buckets must have access logging enabled for security monitoring | HIGH | ✅ |
| SOC2-CC-KEY-MANAGEMENT | CC6.8 - Encryption Key Management | S3 encryption keys must follow proper management practices | MEDIUM | ✅ |
| Control ID | TSC Reference | Description | Severity | Status |
|---|---|---|---|---|
| SOC2-A-BACKUP-RECOVERY | A1.2 - Backup Infrastructure | S3 buckets should have versioning enabled for data recovery | MEDIUM | ✅ |
| SOC2-A-REPLICATION | A1.2 - Recovery Infrastructure | S3 buckets should have cross-region replication for disaster recovery | LOW | ✅ |
| SOC2-A-MONITORING | A1.3 - System Monitoring | S3 buckets should have CloudWatch monitoring configured | MEDIUM | ✅ |
| Control ID | TSC Reference | Description | Severity | Status |
|---|---|---|---|---|
| SOC2-C-DATA-PROTECTION | CC6.7 - Data Transmission | S3 buckets containing confidential data must prevent unauthorized access | HIGH | ✅ |
| Control ID | TSC Reference | Description | Severity | Status |
|---|---|---|---|---|
| SOC2-PI-DATA-INTEGRITY | CC8.1 - Data Integrity | S3 buckets should have object lock enabled to protect data integrity | LOW | ✅ |
| Control ID | TSC Reference | Description | Severity | Status |
|---|---|---|---|---|
| SOC2-P-DATA-GOVERNANCE | P2.1 - Data Management | S3 buckets should implement data governance through Storage Lens | LOW | ✅ |
Security Controls Implementation (Mandatory):
Encryption (SOC2-CC-ENCRYPTION-REST, SOC2-CC-ENCRYPTION-TRANSIT):
- Server-side encryption validation (SSE-S3, SSE-KMS, SSE-C)
- SSL/TLS enforcement through bucket policy analysis
- Detection of unencrypted data storage
- KMS key management and rotation compliance
Access Control (SOC2-CC-ACCESS-CONTROL):
- Comprehensive public access block validation
- Bucket policy analysis for public permissions
- ACL grants analysis for unauthorized access
- Cross-account access monitoring and control
Authentication and Logging (SOC2-CC-MFA-REQUIREMENTS, SOC2-CC-AUDIT-LOGGING):
- MFA requirements enforcement in bucket policies
- Server access logging configuration validation
- CloudTrail integration for API call monitoring
- Security event tracking and alerting
Key Management (SOC2-CC-KEY-MANAGEMENT):
- Customer-managed vs AWS-managed key analysis
- Key rotation status and policy validation
- Cross-account key access detection
- Encryption key governance compliance
Availability Controls Implementation (Optional):
Backup and Recovery (SOC2-A-BACKUP-RECOVERY, SOC2-A-REPLICATION):
- Versioning configuration for data recovery
- Cross-region replication for disaster recovery
- Backup infrastructure validation
- Recovery time objective (RTO) support
Monitoring (SOC2-A-MONITORING):
- CloudWatch metrics availability validation
- S3 request and error monitoring
- Availability tracking and alerting
- Performance monitoring compliance
Confidentiality, Processing Integrity, and Privacy (Optional):
Data Protection (SOC2-C-DATA-PROTECTION):
- Confidential data access restriction validation
- Cross-account access prevention
- Data transmission security compliance
Data Integrity (SOC2-PI-DATA-INTEGRITY):
- Object lock configuration for immutability
- Data integrity protection mechanisms
- Processing integrity compliance validation
Data Governance (SOC2-P-DATA-GOVERNANCE):
- Storage Lens configuration for data management
- Data governance policy implementation
- Privacy compliance through proper data handling
Unlike fixed frameworks, SOC 2 compliance percentage varies based on:
- Selected Trust Service Criteria: Organizations choose A, C, PI, P based on business needs
- Implementation Scope: Not all controls may apply to every organization
- Risk Assessment: Control implementation priority based on risk analysis
Assessment Approach:
- Security (CC): Mandatory - 6/6 controls must pass for baseline compliance
- Optional Criteria: Compliance calculated based on selected criteria
- Overall Score: Weighted average based on implemented criteria importance
Official Documentation: ISO/IEC 27001:2022 | ISO 27000 Family
Coverage: 7/9 S3-relevant controls (78%)
| Control ID | Description | Severity | Status |
|---|---|---|---|
| 5.15 | Access control management - S3 bucket policies and IAM integration | HIGH | ✅ |
| 5.18 | Access rights management - S3 permission governance | HIGH | ✅ |
| 5.23 | Information security for use of cloud services - S3 security configuration | HIGH | ✅ |
| 8.24 | Use of cryptography - S3 encryption at rest and in transit | HIGH | ✅ |
| 12.3 | Information backup - S3 versioning and replication | MEDIUM | ✅ |
| 12.4 | Logging and monitoring - S3 access logging and CloudTrail | MEDIUM | ✅ |
| 13.2 | Information transfer - S3 secure data transmission | MEDIUM | ✅ |
| Control ID | Description | Reason |
|---|---|---|
| 5.16 | Identity management - S3 access through AWS IAM | Requires IAM APIs (specialized expertise) |
| 13.1 | Network security management - S3 endpoint and VPC controls | Requires EC2 APIs (specialized expertise) |
5.15 - Access Control Management:
- Comprehensive access control analysis using existing
check_iso27001_access_controlfunction - Validates least privilege access with detailed scoring
- Checks public access block configuration
- Analyzes bucket policies for proper restrictions
- Verifies ACL permissions and detects wildcard principals
- Evaluates cross-account access and MFA requirements
5.18 - Access Rights Management:
- S3 permission governance assessment
- Public access block validation (40 points)
- Bucket policy safety analysis (30 points)
- ACL security evaluation (30 points)
- Compliance threshold: 80% for compliant rating
5.23 - Information Security for Cloud Services:
- Meta-analysis of all security controls for cloud service compliance
- Evaluates encryption at rest and in transit
- Checks access control implementation
- Validates versioning and logging
- Assesses MFA delete and object lock
- Provides cloud security score (0-100%)
8.24 - Use of Cryptography:
- Validates encryption at rest configuration
- Checks SSL/TLS enforcement in bucket policies
- Analyzes KMS vs SSE-S3 usage
- Verifies bucket key enablement
- Identifies cryptographic gaps and provides remediation
12.3 - Information Backup:
- S3 versioning enablement (60 points)
- Cross-region replication configuration (40 points)
- Backup feature assessment and scoring
- Compliance threshold: 60% for compliant rating
12.4 - Logging and Monitoring:
- S3 access logging validation
- CloudTrail integration recommended
- Compliance threshold: 70% for compliant rating
- Note: Full audit trail requires CloudTrail integration
13.2 - Information Transfer:
- SSL/TLS enforcement through bucket policies
- Secure data transmission validation
- Binary compliance (compliant/non-compliant based on SSL enforcement)
Official Documentation: ISO/IEC 27017:2015 | AWS ISO 27017 FAQ
Coverage: 7/7 cloud-specific controls (100%)
| Control ID | Description | Severity | Status |
|---|---|---|---|
| CLD.6.3.1 | Restriction of access rights - Cloud-specific S3 access management | HIGH | ✅ |
| CLD.7.1.1 | Cloud service responsibilities - S3 shared responsibility model compliance | MEDIUM | ✅ |
| CLD.8.1.4 | Data and information location - S3 data residency and region controls | MEDIUM | ✅ |
| CLD.12.1.5 | Monitoring activities - S3 security monitoring and alerting | MEDIUM | ✅ |
| CLD.12.4.1 | Logging cloud services - S3 comprehensive audit logging | HIGH | ✅ |
| CLD.13.1.1 | Information deletion - S3 secure data deletion and lifecycle | MEDIUM | ✅ |
| CLD.13.1.2 | Information isolation - S3 tenant and data isolation | HIGH | ✅ |
CLD.6.3.1 - Restriction of Access Rights:
- Cloud-specific access management assessment
- Public access block configuration (50 points)
- Bucket policy safety analysis (25 points)
- ACL security evaluation (25 points)
- Compliance threshold: 75% for compliant rating
CLD.7.1.1 - Cloud Service Responsibilities:
- Customer responsibility validation in shared model
- Encryption enablement assessment
- Versioning configuration check
- Logging enablement validation
- Backup/replication configuration assessment
- Compliance threshold: 75% for compliant rating
CLD.8.1.4 - Data and Information Location:
- Identifies primary bucket region
- Checks cross-region replication configuration
- Lists all data replication destinations
- Validates data residency compliance
- Provides location control scoring
CLD.12.1.5 - Monitoring Activities:
- S3 access logging validation (60 points)
- Event notifications configuration (40 points)
- Cloud security monitoring assessment
- Compliance threshold: 60% for compliant rating
CLD.12.4.1 - Logging Cloud Services:
- S3 access logging enablement
- CloudTrail integration recommended
- Comprehensive audit logging assessment
- Binary compliance (compliant/non-compliant)
CLD.13.1.1 - Information Deletion:
- Lifecycle rules configuration (70 points)
- Versioning enablement for controlled deletion (30 points)
- Secure data deletion capabilities
- Compliance threshold: 70% for compliant rating
CLD.13.1.2 - Information Isolation:
- Tenant isolation through access controls
- Public access block validation
- Cross-account access assessment
- Policy security evaluation
- Compliance threshold: 80% for compliant rating
Official Documentation: ISO/IEC 27018:2019
Coverage: 4/9 PII-relevant controls (44%)
| Control ID | Description | Severity | Status |
|---|---|---|---|
| 6.2.1 | Purpose limitation and use limitation - S3 purpose-bound access controls | HIGH | ✅ |
| 6.4.1 | Data minimization - S3 storage optimization and data reduction | MEDIUM | ✅ |
| 6.5.1 | Use, retention and deletion - S3 lifecycle and retention management | MEDIUM | ✅ |
| 8.2.1 | Accountability policy - S3 data protection accountability measures | MEDIUM | ✅ |
| Control ID | Description | Reason |
|---|---|---|
| 5.1.1 | Policies for PII protection - S3 data classification | Requires external data classification system |
| 5.1.2 | Processing of PII - S3 lawful basis and processing controls | Requires external consent tracking system |
| 6.1.1 | Consent and choice - S3 data subject consent management | Requires external consent management system |
| 6.3.1 | Collection limitation - S3 data minimization controls | Requires external data classification system |
| 8.2.2 | Data Protection Impact Assessment - S3 DPIA implementation | Requires external DPIA process system |
6.2.1 - Purpose Limitation and Use Limitation:
- Validates declared data processing purposes through bucket tagging
- Checks purpose minimization compliance
- Analyzes access control alignment with purposes
- Identifies missing purpose declarations
- Provides purpose limitation scoring
6.4.1 - Data Minimization:
- S3 lifecycle rules configuration assessment (85 points)
- Storage optimization through automated deletion
- Data reduction capabilities evaluation
- Compliance threshold: 70% for compliant rating
6.5.1 - Use, Retention and Deletion:
- Lifecycle rules configuration (70 points)
- Versioning enablement for controlled deletion (30 points)
- Retention management assessment
- Compliance threshold: 70% for compliant rating
8.2.1 - Accountability Policy:
- S3 access logging enablement (75 points)
- Data protection accountability through audit trails
- Compliance threshold: 70% for compliant rating
- Note: Enhanced accountability through comprehensive logging
Official Documentation: EUR-Lex Official Text | GDPR Info | Article 32 - Security of Processing
Coverage: 21/25 technical controls (84%)
Important Note: GDPR defines broad principles for personal data protection rather than specific S3 technical controls. The controls below represent technical measures that can be implemented via S3 APIs to support GDPR compliance requirements.
| Control ID | Description | Severity | Status |
|---|---|---|---|
| G1 | S3 buckets must have server-side encryption enabled to protect personal data at rest | HIGH | ✅ |
| G2 | S3 buckets must enforce SSL/TLS for all data transfers to protect personal data in transit | HIGH | ✅ |
| G3 | S3 buckets using KMS encryption must have proper key management practices | HIGH | ✅ |
| G4 | S3 buckets must have proper access controls to ensure only authorized access to personal data | HIGH | ✅ |
| G5 | S3 buckets containing personal data must have Block Public Access enabled | HIGH | ✅ |
| G6 | S3 buckets must have versioning enabled to prevent accidental data loss | MEDIUM | ✅ |
| G7 | S3 buckets with personal data must require MFA for object deletion operations | MEDIUM | ✅ |
| Control ID | Description | Severity | Status |
|---|---|---|---|
| G9 | S3 buckets must have lifecycle policies to automatically delete personal data when no longer needed | MEDIUM | ✅ |
| G10 | S3 bucket policies must restrict access based on specific purposes for processing personal data | MEDIUM | ✅ |
| Control ID | Description | Severity | Status |
|---|---|---|---|
| G11 | S3 buckets must have server access logging enabled for audit trail of personal data access | HIGH | ✅ |
| G12 | S3 buckets must be monitored via AWS CloudTrail for comprehensive audit logging | HIGH | ✅ |
| Control ID | Description | Severity | Status |
|---|---|---|---|
| G13 | S3 buckets must have event notifications configured to detect potential data breaches | MEDIUM | ✅ |
| Control ID | Description | Severity | Status |
|---|---|---|---|
| G15 | S3 buckets must have Object Lock properly configured to support legal holds and retention | MEDIUM | ✅ |
| G16 | S3 buckets with cross-region replication must ensure GDPR compliance in all regions | MEDIUM | ✅ |
| Control ID | Description | Severity | Status |
|---|---|---|---|
| G18 | S3 buckets must be in appropriate regions to comply with data residency requirements | HIGH | ✅ |
| G19 | S3 buckets should not replicate personal data to non-adequate countries without proper safeguards | HIGH | ✅ |
| Control ID | Description | Severity | Status |
|---|---|---|---|
| G21 | S3 Transfer Acceleration should be properly configured with security considerations | LOW | ✅ |
| G22 | S3 CORS configuration must not expose personal data to unauthorized domains | MEDIUM | ✅ |
| G23 | S3 static website hosting must have proper security controls if serving personal data | MEDIUM | ✅ |
| G24 | S3 Inventory should be configured to track personal data storage and management | LOW | ✅ |
| G25 | S3 Analytics configuration should not expose personal data insights inappropriately | LOW | ✅ |
| Control ID | Description | Reason |
|---|---|---|
| G8 | Data Classification and Discovery | Requires Amazon Macie service integration |
| G14 | Security Monitoring Integration | Requires AWS GuardDuty service integration |
| G17 | Data Export Capabilities | Application-specific functionality |
| G20 | Risk Assessment Documentation | External documentation requirement |
Article 32 - Security of Processing (G1-G7):
Encryption Controls (G1, G2, G3):
- Server-side encryption validation for personal data at rest
- SSL/TLS enforcement through bucket policy analysis
- KMS key management practices including rotation and access control
- Customer-managed vs AWS-managed key governance
Access Control (G4, G5):
- Comprehensive Block Public Access configuration
- Bucket policy analysis for unauthorized access prevention
- ACL security evaluation to prevent data exposure
- Multi-layered public access detection
Data Integrity and Recovery (G6, G7):
- Versioning enablement for accidental deletion protection
- MFA delete requirements for critical data protection
- Object-level access control validation
Article 25 - Data Protection by Design (G9, G10):
Data Minimization (G9):
- Lifecycle policy configuration for automatic data deletion
- Retention period compliance through automated expiration
- Storage optimization for data protection by default
Purpose Limitation (G10):
- Purpose-based access control through bucket tagging
- Policy condition analysis for purpose-bound access
- Documentation of processing purposes through metadata
Article 30 - Records of Processing (G11, G12):
Audit Trail Requirements (G11, G12):
- S3 server access logging for comprehensive audit trails
- CloudTrail integration for API-level activity monitoring
- Data access pattern analysis and retention
- Processing activity documentation through logs
Article 33 - Data Breach Notification (G13):
Breach Detection (G13):
- Event notification configuration for security monitoring
- SNS/SQS/Lambda integration for incident response
- Real-time alerting for unauthorized access attempts
- Automated breach detection capabilities
Article 17 - Right to Erasure (G15, G16):
Data Retention and Deletion (G15, G16):
- Object Lock configuration for legal hold management
- Cross-region replication compliance assessment
- Secure deletion procedures and verification
- International data transfer compliance validation
Article 44-49 - International Transfers (G18, G19):
Data Residency (G18, G19):
- Bucket region compliance with EU/EEA requirements
- Cross-border data transfer restriction validation
- Adequacy decision compliance for destination regions
- Standard Contractual Clauses (SCCs) requirement identification
High-Priority Controls (7 controls):
- G1, G2, G3, G4, G5, G11, G18, G19 - Must pass for baseline GDPR compliance
Medium-Priority Controls (8 controls):
- G6, G7, G9, G10, G12, G13, G15, G16, G22, G23 - Important for comprehensive compliance
Low-Priority Controls (3 controls):
- G21, G24, G25 - Supporting controls for enhanced data governance
Assessment Approach:
- Technical Implementation: 21/25 controls implementable via S3 APIs (84%)
- Service Integration: 7 controls require external services or processes
- Compliance Scoring: Weighted by control priority and implementation completeness
What's Included (S3 Technical Controls):
- Encryption and access control measures
- Data retention and lifecycle management
- Audit logging and breach detection
- International transfer restrictions
- Purpose limitation through technical controls
What Requires External Implementation:
- Data Classification (G8): Requires Amazon Macie or external classification tools
- Security Monitoring (G14): Requires AWS GuardDuty or external SIEM integration
- Data Portability (G17): Application-specific export functionality
- Risk Assessment (G20): Organizational DPIA processes and documentation
GDPR Compliance Beyond S3:
- Data Subject Rights management (access, rectification, erasure requests)
- Consent management and lawful basis tracking
- Privacy by design in application architecture
- Data Protection Impact Assessments (DPIAs)
- Data Protection Officer (DPO) appointment and processes
Beyond compliance frameworks, the tool provides additional security assessments:
- Subdomain Takeover Detection - Identifies DNS records pointing to unowned S3 buckets
- CNAME Information Disclosure - Detects bucket naming patterns that reveal sensitive information
- Route53 Analysis - Automatically discovers and analyzes DNS configurations
- Public Object Detection - Identifies publicly accessible objects
- Sensitive Data Pattern Matching - Detects potential PII, credentials, and sensitive files
- Object Permission Analysis - Checks individual object ACLs
- CORS Policy Analysis - Identifies overly permissive cross-origin policies
- Bucket Policy Analysis - Comprehensive policy parsing and risk assessment
- Lifecycle Rule Evaluation - Checks for cost optimization and data management rules
| Framework | Total S3-Relevant Controls | Implemented | Coverage |
|---|---|---|---|
| CIS AWS Foundations | 6 | 6 | 100% |
| AWS FSBP | 11 | 11 | 100% |
| PCI DSS v4.0 | 10 | 10 | 100% |
| HIPAA Security Rule | 7 | 7 | 100% |
| SOC 2 Type II | 12 controls supporting TSC | 12 | Variable compliance |
| ISO 27001:2022 | 9 | 7 | 78% |
| ISO 27017:2015 | 7 | 7 | 100% |
| ISO 27018:2019 | 9 | 4 | 44% |
| GDPR (EU) 2016/679 | 25 | 21 | 84% |
This tool implements a "S3-focused, technically accurate" approach to compliance checking, prioritizing precision over broad coverage. The implementation decisions are based on:
- S3 API Expertise: Deep knowledge of S3 security controls and APIs
- Avoiding Fake Information: No placeholder or artificial compliance data
- Technical Honesty: Clear documentation of limitations and scope
Fully Implemented Frameworks:
- CIS AWS Foundations - 6/6 controls (100%)
- AWS FSBP - 11/11 controls (100%)
- PCI DSS v4.0 - 10/10 controls (100%)
- HIPAA Security Rule - 7/7 controls (100%)
- SOC 2 Type II - 12/12 controls (100%)
- ISO 27017:2015 - 7/7 controls (100%)
Partially Implemented with S3-Only Controls:
- ISO 27001:2022 - 7/9 controls (78%)
- ISO 27018:2019 - 4/9 controls (44%)
ISO 27001 Out of Scope (2/9 controls):
- 5.16 - Identity management: Requires IAM API expertise for comprehensive user/role analysis
- 13.1 - Network security: Requires EC2 API expertise for VPC endpoint analysis
ISO 27018 Out of Scope (5/9 controls):
- 5.1.1 - PII protection policies: Requires external data classification system integration
- 5.1.2 - PII processing controls: Requires external consent tracking system integration
- 6.1.1 - Consent and choice: Requires external consent management system integration
- 6.3.1 - Collection limitation: Requires external data classification system integration
- 8.2.2 - DPIA implementation: Requires external DPIA process system integration
1. Specialized API Expertise Required:
- IAM policy analysis requires deep understanding of identity management
- VPC/networking analysis requires specialized EC2 networking knowledge
- Risk of implementing inaccurate checks that provide false compliance confidence
2. External System Dependencies:
- Data classification systems are organization-specific
- Consent management requires business process integration
- DPIA processes vary by organization and jurisdiction
3. Technical Honesty:
- Better to clearly document limitations than provide fake compliance data
- Maintains trust through transparency about tool capabilities
- Allows users to make informed decisions about additional compliance measures
Total Implementation: 64/71 controls (90%)
- S3-Only Coverage: 18/25 ISO controls implemented with high accuracy
- External Dependencies: 7 controls require systems beyond AWS S3 APIs
- Quality Over Quantity: Focus on accurate, actionable compliance data
For Missing ISO 27001 Controls:
- Use AWS IAM Access Analyzer for identity management assessment
- Implement VPC endpoint monitoring through AWS Config or custom solutions
For Missing ISO 27018 Controls:
- Implement data classification tagging strategy
- Deploy consent management system integration
- Establish DPIA process documentation and tracking
The tool provides automated remediation guidance for all implemented controls, including:
- Step-by-step AWS CLI commands
- Policy templates
- Configuration examples
- Best practice recommendations
- NIST Cybersecurity Framework
- FedRAMP
- Enhanced policy analysis engine
- Integration with AWS Config rules
- Real-time compliance monitoring
- Automated remediation workflows