Building near real-time automatic remediation for disabled S3 Block Public Access with serverless tools

AWS Security Hub is a one-place-to-go service that collects security findings from other services, like GuardDuty, Macie, or IAM Access Analyzer. It also has its own controls that come from security standards like CIS AWS Foundations Benchmark or PCI DSS. We can enable one or more of these standards, and Security Hub will start checking for the status of the controls that belong to the given standards using AWS Config in the background.

It's not only me who likes Security Hub, but Bob does, too! His latest task is to create an automated alert solution that gets triggered when someone has turned off the Block Public Access setting in any S3 buckets. Although Bob believes there's hardly any good reason to make a bucket public today, he wants to evaluate the situation first. So he and his managers would like to receive an email notification near real-time when that happens. Who knows, there might be a legitimate reason for the Block Public Access setting to be disabled. Then, they can click a link to enable Block Public Access again if needed.

As said above, Security Hub keeps creating its findings on the controls and evaluates their compliance status.

Bob will create an EventBridge rule that matches the block public access finding event pattern from Security Hub. The rule will have a Lambda function target that extracts the bucket name from the event object.

The function then creates a URL with the bucket name in a query parameter and publishes a message with the link to an SNS topic. Bob and his managers' email addresses are subscribers to the topic, and they will receive an email with the link to an API Gateway endpoint. A second Lambda function will enable the block public access setting on the given bucket when they click the link.

This post won't explain how to

I'll provide some links at the end of the post that will help provision these resources if needed.

Let's go over the main steps of this solution.

First, we'll need to know when someone disables Block Public Access at the bucket level. The AWS Foundational Security Best Practices v1.0.0 standard in Security Hub has a control that monitors this setting.

Luckily, Security Hub evaluates the status of the controls and sends events to EventBridge. All we have to do is listen to the relevant event, and then we can build automation to fix any issues.

The event pattern we want to match in the rule can look like this:

The main properties are Title, Compliance and RecordsState.

We want Title in the filter since it is the Security Hub control we need to monitor.

Security Hub also sends events on compliant and archived (i.e., not active) findings too. So even if a bucket has Block Public Access enabled, Title alone would still produce a matching pattern. This way, we need to filter the pattern more. So we add Compliance and RecordState filters with FAILED and ACTIVE statuses, respectively.

The rule's target in this example is a Lambda function. Its code can look like this:

First, the code extracts the bucket names from the event object (1). Then, it creates a URL for each bucket where the bucket name is the value of the bucket query parameter (2). Finally, the function publishes a message for each bucket to an SNS topic (3). We pass the topic name, and the API Gateway invoke URL as environment variables to the handler.

At this point, when someone turns off the Block Public Access setting in our account, we should receive an email with a link that points to the API Gateway's /block-public-access endpoint. The link will have a format similar to https://API_ID.execute-api.REGION.amazonaws.com/STAGE_NAME/block-public-access?bucket=BUCKET_NAME.

The last step is to enable Block Public Access on the bucket when someone clicks the link in the email.

We can perform this task with another Lambda function, which we configure as the integration behind the /block-public-access endpoint.

The function's code can look like this:

First, we get the bucket name from the URL (1), then we call the PutPublicAccessBlock S3 API with the block public access settings using the TypeScript SDK (2). Ensure that the function's execution role contains the s3:PubBucketPublicAccessBlock permission.

API Gateway will invoke the Lambda function, and now the bucket should have its Block Public Access setting enabled again!

As always, the example presented in this post is not the only solution. We can solve the majority of any challenges in more than one way.

Other services also monitor the public access setting at the bucket level. We could use Macie, IAM Access Analyzer, GuardDuty or CloudTrail to create an automated solution. I used Security Hub in this example because it's a central place to monitor findings from various security services.

We can also use Security Hub and EventBridge to create automation to resolve other non-compliant findings similarly.

Security Hub is a service that collects findings from other security services. It also creates findings based on the controls that belong to the security standards we choose to enable.

We can create automation by reacting to events Security Hub sends to EventBridge. Turning off the Block Public Access setting at the S3 bucket level is one such event that we can apply an automated remediation by using Lambda functions and API Gateway.

Creating Amazon EventBridge rules that react to events - How to create EventBridge rules

Enabling and disabling controls in all standards - Enabling Security Hub controls

Getting started with Lambda - How to create a Lambda function

Creating a REST API in Amazon API Gateway - The title says it all

Creating an Amazon SNS topic - Same here