Understanding Public Exposure Rule Bundle Failures
The Public Exposure Rule Bundle helps monitor commonly exposed AWS services and resources. In some cases, Rule failures in this Bundle are to be expected, or even desirable.
After the Public Exposure Rule Bundle is added to your environment, Stax will begin evaluating resources within your AWS Organization against the configured rules.
If your AWS accounts are Stax-managed, you will notice some failures occur. Stax continually reviews and monitors these to ensure configurations meet our high security standards. The following failures are expected:
Load Balancers should not be internet-facing
This Rule helps you identify internet-facing load balancers which you have not intended to be public. In this scenario, a misconfigured load balancer may pose a security risk to your organization.
To facilitate accessing Stax, an internet-facing load balancer is deployed into the Security account. This load balancer must be internet-facing and cannot be made private.
The load balancer will have a name matching the format idam-Id-ALB-<identifier>.<region>.elb.amazonaws.com.
Controls are in place to maintain the security of this load balancer:
- All traffic to the load balancer is encrypted (using TLSv1.2)
- The load balancer is protected by AWS Web Application Firewall (WAF)
- AWS's latest SSL security policy is applied
- Logging and monitoring data is recorded in the Logging account
If appropriate in your use case, follow the steps to ignore this resource from being evaluated in this Rule.
S3 Buckets should be configured with "Block Public Access"
This Rule helps you identify S3 buckets that do not have the Block Public Access setting enabled.
Commonly, a bucket named in the format cf-templates-<identifier>-<region> is created in AWS accounts. It is created by the AWS Console when CloudFormation templates are uploaded through the Console, rather than using the API or SDK. AWS does not configure this bucket with Block Public Access enabled, and as such, it will fail this Rule. If this bucket exists, consider reviewing its configuration to meet security best practices.