AWS S3 static website hosting enabled
Description
AlphaSOC detected that Amazon Simple Storage Service (S3) static website hosting was enabled. This feature allows website content to be hosted directly from S3 buckets. While legitimate for approved web hosting, threat actors may abuse this capability to host unauthorized or malicious content, facilitate data exfiltration, or establish covert communication channels.
Impact
Enabling static website hosting on S3 buckets without proper authorization introduces security risks, including the potential for hosting phishing or malicious content. Adversaries may gain access to sensitive data or use the bucket for unauthorized data transfer, which can result in compliance violations and unexpected costs.
Severity
| Severity | Condition |
|---|---|
Informational | S3 static website enabled |
Investigation and Remediation
Review the S3 bucket configuration and access logs to identify when and by whom static website hosting was enabled. Confirm that the configuration matches approved business requirements and use cases. Inspect the bucket for unauthorized or suspicious files that could indicate misuse. If hosting is not approved, disable the feature immediately, update bucket policies and access controls, and enable S3 access logging to monitor future changes and access events.