Preventing Publicly Available S3 Buckets
Protecting Objects in S3 Buckets
Too many data breaches originate from S3 buckets that aren’t properly configured. Typically, they are unintentionally left publicly accessible. Why should you prevent publicly available S3 buckets? AWS puts it this way, “Unless you explicitly require anyone on the internet to be able to read or write to your S3 bucket, you should ensure that your S3 bucket is not public.”
Fortunately for AWS users, AWS gives you the tools to configure your S3 buckets. Along with S3 bucket policies, ACLs, and Trusted Advisor, the Amazon S3 Block Public Access feature is a way to prevent public access. This feature allows you, as a user, to manage and modify S3 bucket policies, access point policies, and object permissions.
Read more about Security Best Practices for Amazon S3 and Using Amazon S3 Block Public Access.
It seems like every other week we hear about another instance of loss of confidential data. Many times, those stories involve an Amazon S3 bucket. The leaky bucket problem, if that’s what you want to call it. These buckets, through misconfiguration, have been configured to permit public access to any of the files that are located in that bucket. Public access, in this case, means that they’re able to make a successful HTTP call to a URL and they can get a file back. Amazon has continued to try to find that magic approach that makes it obvious when a bucket has been configured for public access. Access to the entire Internet without authentication.
Some recent improvements, within the last year or so, in the user interface take advantage of some automated reasoning technologies to determine in real time the effect of the policies and the settings that have been enabled on your S3 buckets. That turns into a bright orange or a bright yellow “Public” label being listed next to your S3 bucket in the list of buckets when you’re logged into the AWS console. It’s important to check on that from time to time. We certainly will as part of our audit. We will be looking to see if all of the buckets that are labeled as “Public Access” should have public access.
Of course, use cases vary. One of the obvious examples of a bucket that should be publicly accessible is a bucket that is being used to serve up the static images of our website. Otherwise, graphics aren’t going to appear on our website. That’s one example where S3 buckets are being used for almost every kind of data that you could possibly conceive. It’s important to make sure that you have proper configurations, proper policies applied to those S3 buckets. You can take advantage of some of the resources out there, The Center for Internet Security AWS Benchmark gives some instruction on how to check for that. There are various tools out there, like AWS Prowler, that we use extensively in our own audits. We’ll help you find those. Logging into the console, which you should be doing on some regular basis and in some way evaluating whether or not any of your buckets have been configured for public access and making sure that’s the way that it really should be.