Skip to main content

Test Results: prowler-output-232348204608-20250424120512

For Secure S3 Bucket Terraform Module

Summary

Pass
50
Fail
16
N/A
0
Error
0
Untested Requirements
0

Results by CCC Release

CCC ReferenceCCC VersionPassing TestsFailing Tests
CCC.ObjStor
2025.01
50
16

Test Results By Control Requirement

Requirement IDRequirement DescriptionCCC VersionsTestTest ResultResourcesResult Message
CCC.C01.TR01When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1.2 or higher.
2025.01
s3_bucket_secure_transport_policy
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 does not have a bucket policy, thus it allows HTTP requests.
CCC.C01.TR01When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1.2 or higher.
2025.01
s3_bucket_secure_transport_policy
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs does not have a bucket policy, thus it allows HTTP requests.
CCC.C01.TR02When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher.
2025.01
s3_bucket_secure_transport_policy
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 does not have a bucket policy, thus it allows HTTP requests.
CCC.C01.TR02When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher.
2025.01
s3_bucket_secure_transport_policy
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs does not have a bucket policy, thus it allows HTTP requests.
CCC.C02.TR01When data is stored at rest, the service MUST be configured to encrypt data at rest using the latest industry-standard encryption methods.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has Server Side Encryption with aws:kms.
CCC.C02.TR01When data is stored at rest, the service MUST be configured to encrypt data at rest using the latest industry-standard encryption methods.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has Server Side Encryption with aws:kms.
CCC.C04.TR01When any access attempt is made to the service, the service MUST log the client identity, time, and result of the attempt.
2025.01
s3_bucket_server_access_logging_enabled
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has server access logging enabled.
CCC.C04.TR01When any access attempt is made to the service, the service MUST log the client identity, time, and result of the attempt.
2025.01
s3_bucket_server_access_logging_enabled
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has server access logging enabled.
CCC.C04.TR02When any access attempt is made to the view sensitive information, the service MUST log the client identity, time, and result of the attempt.
2025.01
s3_bucket_server_access_logging_enabled
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has server access logging enabled.
CCC.C04.TR02When any access attempt is made to the view sensitive information, the service MUST log the client identity, time, and result of the attempt.
2025.01
s3_bucket_server_access_logging_enabled
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has server access logging enabled.
CCC.C04.TR03When any change is made to the service configuration, the service MUST log the change, including the client, time, previous state, and the new state following the change.
2025.01
s3_bucket_server_access_logging_enabled
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has server access logging enabled.
CCC.C04.TR03When any change is made to the service configuration, the service MUST log the change, including the client, time, previous state, and the new state following the change.
2025.01
s3_bucket_server_access_logging_enabled
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has server access logging enabled.
CCC.C05.TR01When access to sensitive resources is attempted, the service MUST block requests from untrusted sources, including IP addresses, domains, or networks that are not explicitly included in a pre-approved allowlist.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 does not have a bucket policy.
CCC.C05.TR01When access to sensitive resources is attempted, the service MUST block requests from untrusted sources, including IP addresses, domains, or networks that are not explicitly included in a pre-approved allowlist.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs does not have a bucket policy.
CCC.C05.TR01When access to sensitive resources is attempted, the service MUST block requests from untrusted sources, including IP addresses, domains, or networks that are not explicitly included in a pre-approved allowlist.
2025.01
s3_bucket_public_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 is not public.
CCC.C05.TR01When access to sensitive resources is attempted, the service MUST block requests from untrusted sources, including IP addresses, domains, or networks that are not explicitly included in a pre-approved allowlist.
2025.01
s3_bucket_public_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs is not public.
CCC.C05.TR02When administrative access is attempted, the service MUST validate that the request originates from an explicitly allowed source as defined in the allowlist.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 does not have a bucket policy.
CCC.C05.TR02When administrative access is attempted, the service MUST validate that the request originates from an explicitly allowed source as defined in the allowlist.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs does not have a bucket policy.
CCC.C05.TR02When administrative access is attempted, the service MUST validate that the request originates from an explicitly allowed source as defined in the allowlist.
2025.01
s3_bucket_public_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 is not public.
CCC.C05.TR02When administrative access is attempted, the service MUST validate that the request originates from an explicitly allowed source as defined in the allowlist.
2025.01
s3_bucket_public_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs is not public.
CCC.C05.TR03When resources are accessed in a multi-tenant environment, the service MUST enforce isolation by allowing access only to explicitly allowlisted tenants.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 does not have a bucket policy.
CCC.C05.TR03When resources are accessed in a multi-tenant environment, the service MUST enforce isolation by allowing access only to explicitly allowlisted tenants.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs does not have a bucket policy.
CCC.C05.TR03When resources are accessed in a multi-tenant environment, the service MUST enforce isolation by allowing access only to explicitly allowlisted tenants.
2025.01
s3_bucket_public_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 is not public.
CCC.C05.TR03When resources are accessed in a multi-tenant environment, the service MUST enforce isolation by allowing access only to explicitly allowlisted tenants.
2025.01
s3_bucket_public_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs is not public.
CCC.C05.TR04When an access attempt from an untrusted source is blocked, the service MUST log the event, including the source details, time, and reason for denial.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 does not have a bucket policy.
CCC.C05.TR04When an access attempt from an untrusted source is blocked, the service MUST log the event, including the source details, time, and reason for denial.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs does not have a bucket policy.
CCC.C05.TR04When an access attempt from an untrusted source is blocked, the service MUST log the event, including the source details, time, and reason for denial.
2025.01
s3_bucket_public_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 is not public.
CCC.C05.TR04When an access attempt from an untrusted source is blocked, the service MUST log the event, including the source details, time, and reason for denial.
2025.01
s3_bucket_public_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs is not public.
CCC.ObjStor.C01.TR01When a request is made to read a protected bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
kms_cmk_rotation_enabled
pass
arn:aws:kms:us-east-1:232348204608:key/831a72c9-c94d-4407-8835-3de2e3358b01
KMS CMK 831a72c9-c94d-4407-8835-3de2e3358b01 has automatic rotation enabled. (more)
CCC.ObjStor.C01.TR01When a request is made to read a protected bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
kms_cmk_rotation_enabled
fail
arn:aws:kms:us-east-1:232348204608:key/dd053d7f-3ae4-4010-bac4-f70ae20be625
KMS CMK dd053d7f-3ae4-4010-bac4-f70ae20be625 has automatic rotation disabled. (more)
CCC.ObjStor.C01.TR01When a request is made to read a protected bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has Server Side Encryption with aws:kms.
CCC.ObjStor.C01.TR01When a request is made to read a protected bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has Server Side Encryption with aws:kms.
CCC.ObjStor.C01.TR02When a request is made to read a protected object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
kms_cmk_rotation_enabled
pass
arn:aws:kms:us-east-1:232348204608:key/831a72c9-c94d-4407-8835-3de2e3358b01
KMS CMK 831a72c9-c94d-4407-8835-3de2e3358b01 has automatic rotation enabled. (more)
CCC.ObjStor.C01.TR02When a request is made to read a protected object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
kms_cmk_rotation_enabled
fail
arn:aws:kms:us-east-1:232348204608:key/dd053d7f-3ae4-4010-bac4-f70ae20be625
KMS CMK dd053d7f-3ae4-4010-bac4-f70ae20be625 has automatic rotation disabled. (more)
CCC.ObjStor.C01.TR02When a request is made to read a protected object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has Server Side Encryption with aws:kms.
CCC.ObjStor.C01.TR02When a request is made to read a protected object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has Server Side Encryption with aws:kms.
CCC.ObjStor.C01.TR03When a request is made to write to a bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
kms_cmk_rotation_enabled
pass
arn:aws:kms:us-east-1:232348204608:key/831a72c9-c94d-4407-8835-3de2e3358b01
KMS CMK 831a72c9-c94d-4407-8835-3de2e3358b01 has automatic rotation enabled. (more)
CCC.ObjStor.C01.TR03When a request is made to write to a bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
kms_cmk_rotation_enabled
fail
arn:aws:kms:us-east-1:232348204608:key/dd053d7f-3ae4-4010-bac4-f70ae20be625
KMS CMK dd053d7f-3ae4-4010-bac4-f70ae20be625 has automatic rotation disabled. (more)
CCC.ObjStor.C01.TR03When a request is made to write to a bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has Server Side Encryption with aws:kms.
CCC.ObjStor.C01.TR03When a request is made to write to a bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has Server Side Encryption with aws:kms.
CCC.ObjStor.C01.TR04When a request is made to write to an object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
kms_cmk_rotation_enabled
pass
arn:aws:kms:us-east-1:232348204608:key/831a72c9-c94d-4407-8835-3de2e3358b01
KMS CMK 831a72c9-c94d-4407-8835-3de2e3358b01 has automatic rotation enabled. (more)
CCC.ObjStor.C01.TR04When a request is made to write to an object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
kms_cmk_rotation_enabled
fail
arn:aws:kms:us-east-1:232348204608:key/dd053d7f-3ae4-4010-bac4-f70ae20be625
KMS CMK dd053d7f-3ae4-4010-bac4-f70ae20be625 has automatic rotation disabled. (more)
CCC.ObjStor.C01.TR04When a request is made to write to an object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has Server Side Encryption with aws:kms.
CCC.ObjStor.C01.TR04When a request is made to write to an object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
2025.01
s3_bucket_default_encryption
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has Server Side Encryption with aws:kms.
CCC.ObjStor.C02.TR01When a permission set is allowed for an object in a bucket, the service MUST allow the same permission set to access all objects in the same bucket.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 does not have a bucket policy.
CCC.ObjStor.C02.TR01When a permission set is allowed for an object in a bucket, the service MUST allow the same permission set to access all objects in the same bucket.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs does not have a bucket policy.
CCC.ObjStor.C02.TR02When a permission set is denied for an object in a bucket, the service MUST deny the same permission set to access all objects in the same bucket.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 does not have a bucket policy.
CCC.ObjStor.C02.TR02When a permission set is denied for an object in a bucket, the service MUST deny the same permission set to access all objects in the same bucket.
2025.01
s3_bucket_policy_public_write_access
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs does not have a bucket policy.
CCC.ObjStor.C03.TR01When an object storage bucket deletion is attempted, the bucket MUST be fully recoverable for a set time-frame after deletion is requested.
2025.01
s3_bucket_object_versioning
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has versioning disabled.
CCC.ObjStor.C03.TR01When an object storage bucket deletion is attempted, the bucket MUST be fully recoverable for a set time-frame after deletion is requested.
2025.01
s3_bucket_object_versioning
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has versioning enabled.
CCC.ObjStor.C03.TR02When an attempt is made to modify the retention policy for an object storage bucket, the service MUST prevent the policy from being modified.
2025.01
s3_bucket_object_versioning
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has versioning disabled.
CCC.ObjStor.C03.TR02When an attempt is made to modify the retention policy for an object storage bucket, the service MUST prevent the policy from being modified.
2025.01
s3_bucket_object_versioning
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has versioning enabled.
CCC.ObjStor.C04.TR01When an object is uploaded to the object storage system, the object MUST automatically receive a default retention policy that prevents premature deletion or modification.
2025.01
s3_bucket_object_versioning
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has versioning disabled.
CCC.ObjStor.C04.TR01When an object is uploaded to the object storage system, the object MUST automatically receive a default retention policy that prevents premature deletion or modification.
2025.01
s3_bucket_object_versioning
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has versioning enabled.
CCC.ObjStor.C04.TR02When an attempt is made to delete or modify an object that is subject to an active retention policy, the service MUST prevent the action from being completed.
2025.01
s3_bucket_object_versioning
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has versioning disabled.
CCC.ObjStor.C04.TR02When an attempt is made to delete or modify an object that is subject to an active retention policy, the service MUST prevent the action from being completed.
2025.01
s3_bucket_object_versioning
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has versioning enabled.
CCC.ObjStor.C05.TR01When an object is uploaded to the object storage bucket, the object MUST be stored with a unique identifier.
2025.01
s3_bucket_object_versioning
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has versioning disabled.
CCC.ObjStor.C05.TR01When an object is uploaded to the object storage bucket, the object MUST be stored with a unique identifier.
2025.01
s3_bucket_object_versioning
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has versioning enabled.
CCC.ObjStor.C05.TR02When an object is modified, the service MUST assign a new unique identifier to the modified object to differentiate it from the previous version.
2025.01
s3_bucket_object_versioning
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has versioning disabled.
CCC.ObjStor.C05.TR02When an object is modified, the service MUST assign a new unique identifier to the modified object to differentiate it from the previous version.
2025.01
s3_bucket_object_versioning
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has versioning enabled.
CCC.ObjStor.C05.TR03When an object is modified, the service MUST allow for recovery of previous versions of the object.
2025.01
s3_bucket_object_versioning
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has versioning disabled.
CCC.ObjStor.C05.TR03When an object is modified, the service MUST allow for recovery of previous versions of the object.
2025.01
s3_bucket_object_versioning
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has versioning enabled.
CCC.ObjStor.C05.TR04When an object is deleted, the service MUST retain other versions of the object to allow for recovery of previous versions.
2025.01
s3_bucket_object_versioning
fail
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has versioning disabled.
CCC.ObjStor.C05.TR04When an object is deleted, the service MUST retain other versions of the object to allow for recovery of previous versions.
2025.01
s3_bucket_object_versioning
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has versioning enabled.
CCC.ObjStor.C06.TR01When an object storage bucket is accessed, the service MUST store access logs in a separate data store.
2025.01
s3_bucket_server_access_logging_enabled
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423
S3 Bucket prod-my-secure-s3-bucket-20250423 has server access logging enabled.
CCC.ObjStor.C06.TR01When an object storage bucket is accessed, the service MUST store access logs in a separate data store.
2025.01
s3_bucket_server_access_logging_enabled
pass
arn:aws:s3:::prod-my-secure-s3-bucket-20250423-logs
S3 Bucket prod-my-secure-s3-bucket-20250423-logs has server access logging enabled.