Understanding Public Exposure Rule Bundle Failures

The Public Exposure Rule Bundle helps monitor commonly exposed AWS services and resources. In some cases, Rule failures in this Bundle are to be expected, or even desirable.

Article Tags
On This Page
Load Balancers should not be internet-facingS3 Buckets should be configured with "Block Public Access"See also

After the Public Exposure Rule Bundle is added to your environment, Stax will begin evaluating resources within your AWS Organization against the configured rules.

If your AWS accounts are Stax-managed, you will notice some failures occur. Stax continually reviews and monitors these to ensure configurations meet our high security standards. The following failures are expected:

Load Balancers should not be internet-facing

This Rule helps you identify internet-facing load balancers which you have not intended to be public. In this scenario, a misconfigured load balancer may pose a security risk to your organization.

To facilitate accessing Stax, an internet-facing load balancer is deployed into the Security account. This load balancer must be internet-facing and cannot be made private.

The load balancer will have a name matching the format idam-Id-ALB-<identifier>.<region>.elb.amazonaws.com.

Controls are in place to maintain the security of this load balancer:

  • All traffic to the load balancer is encrypted (using TLSv1.2)
  • The load balancer is protected by AWS Web Application Firewall (WAF)
  • AWS's latest SSL security policy is applied
  • Logging and monitoring data is recorded in the Logging account

If appropriate in your use case, follow the steps to ignore this resource from being evaluated in this Rule.

S3 Buckets should be configured with "Block Public Access"

This Rule helps you identify S3 buckets that do not have the Block Public Access setting enabled.

Commonly, a bucket named in the format cf-templates-<identifier>-<region> is created in AWS accounts. It is created by the AWS Console when CloudFormation templates are uploaded through the Console, rather than using the API or SDK. AWS does not configure this bucket with Block Public Access enabled, and as such, it will fail this Rule. If this bucket exists, consider reviewing its configuration to meet security best practices.

See also