| agent: |
Compliance Check for S3 Bucket Encryption
The workflow involves identifying Amazon S3 buckets that either do not have default encryption enabled or lack a policy explicitly denying unencrypted put-object requests. These buckets are then flagged as NON_COMPLIANT. This process ensures that all S3 buckets adhere to security best practices by enforcing encryption standards. By flagging non-compliant buckets, the workflow helps maintain data security and compliance within the cloud environment. This proactive approach aids in mitigating potential data breaches and unauthorized access.
- 1gfBY9XRPr6JEra7eMWmsIdentify Amazon S3 buckets that do not have default encryption enabled or lack a policy explicitly denying unencrypted put-object requests, and flag them as NON_COMPLIANT.
1
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This script identifies S3 buckets without default encryption or lacking a policy denying unencrypted put-object requests.
inputsoutputs1- 1.1DMmrPQwGHtD46gJcY69wList all Amazon S3 buckets in the AWS account.
1.1
List all Amazon S3 buckets in the AWS account.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This script lists all S3 buckets in the AWS account.
inputsoutputsimport boto3 # Initialize boto3 client for S3 s3_client = boto3.client('s3', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY'), region_name='us-east-2') # List all S3 buckets buckets = s3_client.list_buckets()['Buckets'] # Extract bucket names bucket_names = [bucket['Name'] for bucket in buckets] print("Bucket names:", bucket_names)copied1.1 - 1.2rcxf5yuj0SXCrkBHOBUlCheck each S3 bucket for default encryption settings and identify buckets without default encryption enabled.
1.2
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This script checks each S3 bucket for default encryption settings and identifies buckets without default encryption enabled.
inputsoutputsimport boto3 # Initialize boto3 client for S3 s3_client = boto3.client('s3', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY'), region_name='us-east-2') non_compliant_buckets = [] for bucket_name in bucket_names: try: # Check if default encryption is enabled encryption = s3_client.get_bucket_encryption(Bucket=bucket_name) rules = encryption['ServerSideEncryptionConfiguration']['Rules'] if not rules: non_compliant_buckets.append(bucket_name) except s3_client.exceptions.ClientError as e: # If the error is because the bucket does not have encryption enabled if e.response['Error']['Code'] == 'ServerSideEncryptionConfigurationNotFoundError': non_compliant_buckets.append(bucket_name) print("Non-compliant buckets:", non_compliant_buckets)copied1.2 - 1.3B78ckvHZeD0HH8ZV24XlCheck each S3 bucket for a policy explicitly denying unencrypted put-object requests and identify buckets lacking such a policy.
1.3
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This script checks each S3 bucket for a policy explicitly denying unencrypted put-object requests and identifies buckets lacking such a policy.
inputsoutputsimport boto3 import json # Initialize boto3 client for S3 s3_client = boto3.client('s3', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY'), region_name='us-east-2') buckets_lacking_policy = [] for bucket_name in bucket_names: try: # Get the bucket policy policy = s3_client.get_bucket_policy(Bucket=bucket_name) policy_statements = json.loads(policy['Policy'])['Statement'] # Check for a policy explicitly denying unencrypted put-object requests policy_found = False for statement in policy_statements: if statement.get('Effect') == 'Deny': conditions = statement.get('Condition', {}) if 'Bool' in conditions and 'aws:SecureTransport' in conditions['Bool']: if conditions['Bool']['aws:SecureTransport'] == 'false': policy_found = True break if not policy_found: buckets_lacking_policy.append(bucket_name) except s3_client.exceptions.ClientError as e: # If the error is because the bucket does not have a policy if e.response['Error']['Code'] == 'NoSuchBucketPolicy': buckets_lacking_policy.append(bucket_name) print("Buckets lacking policy explicitly denying unencrypted put-object requests:", buckets_lacking_policy)copied1.3