securing-s3-buckets

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Overview

概述

Implements layered S3 security controls across five workflows: securing new buckets, auditing existing configurations, remediating findings, configuring encryption, and enabling monitoring. Follows AWS Well-Architected security best practices.

Execute commands using the AWS MCP server when connected (sandboxed execution, audit logging, observability). Fall back to AWS CLI or shell otherwise.

在五个工作流中实现分层S3安全控制：保护新存储桶、审计现有配置、修复问题、配置加密以及启用监控。遵循AWS Well-Architected安全最佳实践。

连接AWS MCP服务器时，使用该服务器执行命令（沙箱执行、审计日志、可观测性）。否则回退使用AWS CLI或shell。

Common Tasks

常见任务

0. Verify Dependencies

0. 验证依赖项

Check for required tools before starting.

Constraints:

You MUST inform the user if required tools are missing
You SHOULD confirm credentials with
```
aws sts get-caller-identity
```

See references/iam-permissions.md for IAM permissions by workflow.

开始前检查所需工具是否齐全。

约束条件：

若缺少必要工具，必须告知用户
应使用
```
aws sts get-caller-identity
```
确认凭证有效性

各工作流对应的IAM权限请查看references/iam-permissions.md。

1. Classify the Request

1. 请求分类

User intent	Workflow
Secure a new bucket	A: Secure New Bucket
Audit / review existing bucket	B: Audit Existing Bucket
Fix a specific finding	C: Remediate Issue
Configure encryption	D: Configure Encryption
Enable logging / monitoring	E: Enable Monitoring

Constraints:

You MUST ask for all required parameters upfront
You MUST confirm bucket name and region before any write operation
You MAY infer region from user context if clearly stated
You SHOULD run
```
aws iam simulate-principal-policy
```
to validate permissions before write operations
You SHOULD display write commands and wait for confirmation before executing

用户意图	工作流
保护新存储桶	A: 保护新存储桶
审计/审查现有存储桶	B: 审计现有存储桶
修复特定问题	C: 修复问题
配置加密	D: 配置加密
启用日志/监控	E: 启用监控

约束条件：

必须提前询问所有必要参数
在执行任何写入操作前，必须确认存储桶名称和区域
若用户上下文明确说明区域，可自行推断
在执行写入操作前，应运行
```
aws iam simulate-principal-policy
```
验证权限
应展示写入命令并等待用户确认后再执行

put-bucket-policy Safety Rules

put-bucket-policy 安全规则

These rules apply to ALL workflows that call

put-bucket-policy

You MUST attempt to retrieve the existing policy first (
```
aws s3api get-bucket-policy
```
) —
```
put-bucket-policy
```
replaces the entire policy

If a policy exists, you MUST back it up before modifying:

aws s3api get-bucket-policy --bucket <name> --output text > backup-policy-$(date +%s).json

If
```
NoSuchBucketPolicy
```
is returned, proceed with a new policy — no backup is needed
You MUST merge new statements into the existing policy's Statement array (if one exists)
You MUST validate merged JSON syntax before applying (e.g.
```
echo '<policy>' | python3 -m json.tool
```
)
You SHOULD display the full
```
put-bucket-policy
```
command and wait for confirmation

以下规则适用于所有调用

put-bucket-policy

的工作流：

必须先尝试获取现有策略（
```
aws s3api get-bucket-policy
```
）——
```
put-bucket-policy
```
会替换整个策略

若策略已存在，修改前必须备份：

aws s3api get-bucket-policy --bucket <name> --output text > backup-policy-$(date +%s).json

若返回
```
NoSuchBucketPolicy
```
，则直接创建新策略——无需备份
必须将新语句合并到现有策略的Statement数组中（如果存在）
应用前必须验证合并后的JSON语法（例如：
```
echo '<policy>' | python3 -m json.tool
```
）
应展示完整的
```
put-bucket-policy
```
命令并等待用户确认

2. Workflow A — Secure New Bucket

2. 工作流A —— 保护新存储桶

See references/workflows.md for full CLI steps.

Required steps (execute in order, do not skip):

Create bucket with
```
--bucket-namespace account-regional
```
Enable versioning
Enable encryption (SSE-S3 + Bucket Keys + block SSE-C)
Enable logging (ask user which option — conditional)
Enforce HTTPS-only via
```
DenyInsecureTransport
```
bucket policy
Enable ABAC

Constraints:

You MUST pass

--bucket-namespace account-regional

create-bucket

call — this is REQUIRED, not optional. Example:

aws s3api create-bucket --bucket <name> --bucket-namespace account-regional --region <region>

You MUST NOT change Block Public Access — S3 enables it by default on new buckets
You MUST NOT change ACL ownership controls — S3 disables ACLs (
```
BucketOwnerEnforced
```
) by default

You MUST apply a bucket policy with a

DenyInsecureTransport

statement that denies

s3:*

when

aws:SecureTransport

false

— this is REQUIRED, not optional. Example:

aws s3api put-bucket-policy --bucket <name> --policy '{"Version":"2012-10-17","Statement":[{"Sid":"DenyInsecureTransport","Effect":"Deny","Principal":"*","Action":"s3:*","Resource":["arn:aws:s3:::<name>/*","arn:aws:s3:::<name>"],"Condition":{"Bool":{"aws:SecureTransport":"false"}}}]}'

You MUST ask the user which logging option they want before step 4
You MUST follow the put-bucket-policy safety rules for steps 4 and 5
You SHOULD confirm each step succeeded before proceeding

完整CLI步骤请查看references/workflows.md。

必填步骤（按顺序执行，不可跳过）：

使用
```
--bucket-namespace account-regional
```
创建存储桶
启用版本控制
启用加密（SSE-S3 + Bucket Keys + 阻止SSE-C）
启用日志（询问用户选择哪种选项——可选步骤）
通过
```
DenyInsecureTransport
```
存储桶策略强制仅使用HTTPS
启用ABAC

约束条件：

调用

create-bucket

时必须传入

--bucket-namespace account-regional

——此为必填项，不可省略。示例：

aws s3api create-bucket --bucket <name> --bucket-namespace account-regional --region <region>

不得修改公共访问阻止设置——S3默认会为新存储桶启用该设置
不得修改ACL所有权控制——S3默认禁用ACL（
```
BucketOwnerEnforced
```
）

必须应用包含

DenyInsecureTransport

语句的存储桶策略，当

aws:SecureTransport

为

false

时拒绝所有

s3:*

操作——此为必填项，不可省略。示例：

aws s3api put-bucket-policy --bucket <name> --policy '{"Version":"2012-10-17","Statement":[{"Sid":"DenyInsecureTransport","Effect":"Deny","Principal":"*","Action":"s3:*","Resource":["arn:aws:s3:::<name>/*","arn:aws:s3:::<name>"],"Condition":{"Bool":{"aws:SecureTransport":"false"}}}]}'

执行步骤4前必须询问用户想要的日志选项
执行步骤4和5时必须遵循put-bucket-policy安全规则
应确认每一步执行成功后再继续

3. Workflow B — Audit Existing Bucket

3. 工作流B —— 审计现有存储桶

See references/audit-checklist.md for the full checklist.

Constraints:

You MUST run all read-only audit commands before reporting findings
You MUST NOT execute any write or modify commands during an audit
You MUST report each control as PASS / FAIL / NOT CONFIGURED with severity
For logging: report PASS if either S3 server access logging OR CloudTrail data events are enabled; NOT CONFIGURED only if neither

完整检查清单请查看references/audit-checklist.md。

约束条件：

报告问题前必须运行所有只读审计命令
审计期间不得执行任何写入或修改命令
必须将每个控制项报告为通过/失败/未配置，并标注严重程度
日志方面：若S3服务器访问日志或CloudTrail数据事件任一已启用，则报告为通过；仅当两者均未启用时才报告为未配置

4. Workflow C — Remediate Issue

4. 工作流C —— 修复问题

See references/remediation.md for fix commands by issue type.

Constraints:

You MUST identify the issue type before applying any fix
You MUST follow the put-bucket-policy safety rules when modifying policies
You MUST re-run the relevant audit check after applying the fix to confirm resolution

按问题类型分类的修复命令请查看references/remediation.md。

约束条件：

应用任何修复前必须确定问题类型
修改策略时必须遵循put-bucket-policy安全规则
应用修复后必须重新运行相关审计检查以确认问题已解决

5. Workflow D — Configure Encryption

5. 工作流D —— 配置加密

See references/encryption.md for encryption options and commands.

Constraints:

You MUST default to SSE-S3 with S3 Bucket Keys and SSE-C blocked unless the user explicitly requests KMS
When using SSE-KMS, you MUST use a customer managed key — NEVER the AWS managed
```
aws/s3
```
key
You MUST specify customer-managed KMS keys by full ARN, not alias

You MUST include

BucketKeyEnabled: true

and

BlockedEncryptionTypes: [SSE-C]

in all configurations

Note: The S3 API accepts
```
aws/s3
```
and aliases without error — agent-enforced constraints. Verify with
```
get-bucket-encryption
```
after applying.

加密选项和命令请查看references/encryption.md。

约束条件：

除非用户明确要求KMS，否则默认使用带S3 Bucket Keys的SSE-S3并阻止SSE-C
使用SSE-KMS时，必须使用客户管理密钥——绝不能使用AWS托管的
```
aws/s3
```
密钥
必须通过完整ARN指定客户管理KMS密钥，而非别名

所有配置中必须包含

BucketKeyEnabled: true

和

BlockedEncryptionTypes: [SSE-C]

注意：S3 API接受
```
aws/s3
```
和别名且不会报错——这是Agent强制执行的约束。应用后请使用
```
get-bucket-encryption
```
验证。

6. Workflow E — Enable Monitoring

6. 工作流E —— 启用监控

See references/workflows.md for full CLI steps.

Constraints:

You MUST check whether a GuardDuty detector already exists before creating one
You MUST use the trail's home region (not the bucket's region) for CloudTrail commands
You SHOULD enable all four core recommended AWS Config rules

完整CLI步骤请查看references/workflows.md。

约束条件：

创建GuardDuty检测器前必须检查是否已存在
执行CloudTrail命令时必须使用跟踪的主区域（而非存储桶区域）
应启用所有四项核心推荐的AWS Config规则

Troubleshooting

故障排除

ObjectLockConfigurationNotFoundError
— Object Lock is not enabled. Treat as NOT CONFIGURED, not a failure.

AccessDenied
on audit commands — Check IAM policy, bucket policy, Block Public Access, VPC endpoint policy, and SCPs/RCPs. Use

aws iam simulate-principal-policy

to diagnose.

put-bucket-policy
silently removes existing statements — See put-bucket-policy safety rules.

GuardDuty
BadRequestException: detector already exists
— Run

aws guardduty list-detectors

first; only call

create-detector

if empty.

CloudTrail changes not taking effect — Verify you are using

--region <trail-home-region>

, not the bucket's region. Find it with

aws cloudtrail describe-trails --query 'trailList[*].[Name,HomeRegion]'

ObjectLockConfigurationNotFoundError
—— 对象锁定未启用。视为未配置，而非失败。

审计命令返回
AccessDenied
—— 检查IAM策略、存储桶策略、公共访问阻止设置、VPC端点策略以及SCP/RCP。使用

aws iam simulate-principal-policy

诊断问题。

put-bucket-policy
静默删除现有语句 —— 查看put-bucket-policy安全规则。

GuardDuty返回
BadRequestException: detector already exists
—— 先运行

aws guardduty list-detectors

；仅当结果为空时才调用

create-detector

。

CloudTrail更改未生效 —— 验证是否使用了

--region <trail-home-region>

，而非存储桶区域。使用

aws cloudtrail describe-trails --query 'trailList[*].[Name,HomeRegion]'

查找主区域。

Additional Resources

额外资源

references/iam-permissions.md — IAM permissions by workflow
references/audit-checklist.md — Per-control checklist with severity and pass conditions
references/encryption.md — Encryption options, KMS guidance, SSE-C blocking
references/remediation.md — Fix commands for common findings
references/workflows.md — Full CLI command sequences for Workflows A and E
AWS S3 Security Best Practices
AWS Well-Architected Security Pillar

references/iam-permissions.md —— 各工作流对应的IAM权限
references/audit-checklist.md —— 带严重程度和通过条件的逐项检查清单
references/encryption.md —— 加密选项、KMS指南、SSE-C阻止设置
references/remediation.md —— 常见问题的修复命令
references/workflows.md —— 工作流A和E的完整CLI命令序列
AWS S3 Security Best Practices
AWS Well-Architected Security Pillar