Name: Preventing Publicly Available S3 Buckets
Uploaded: 2020-10-26T15:51:15Z
Duration: 182
Description: Along with S3 bucket policies, ACLs, and Trusted Advisor, the Amazon S3 Block Public Access feature is a way to prevent public access.

Preventing Publicly Available S3 Buckets

Protecting Objects in S3 Buckets

Too many data breaches originate from S3 buckets that aren’t properly configured. Typically, they are unintentionally left publicly accessible. Why should you prevent publicly available S3 buckets? AWS puts it this way, “Unless you explicitly require anyone on the internet to be able to read or write to your S3 bucket, you should ensure that your S3 bucket is not public.”

Fortunately for AWS users, AWS gives you the tools to configure your S3 buckets. Along with S3 bucket policies, ACLs, and Trusted Advisor, the Amazon S3 Block Public Access feature is a way to prevent public access. This feature allows you, as a user, to manage and modify S3 bucket policies, access point policies, and object permissions.

Transcription

It seems like every other week we hear about another instance of loss of confidential data. Many times, those stories involve an Amazon S3 bucket. The leaky bucket problem, if that’s what you want to call it. These buckets, through misconfiguration, have been configured to permit public access to any of the files that are located in that bucket. Public access, in this case, means that they’re able to make a successful HTTP call to a URL and they can get a file back. Amazon has continued to try to find that magic approach that makes it obvious when a bucket has been configured for public access. Access to the entire Internet without authentication.

Some recent improvements, within the last year or so, in the user interface take advantage of some automated reasoning technologies to determine in real time the effect of the policies and the settings that have been enabled on your S3 buckets. That turns into a bright orange or a bright yellow “Public” label being listed next to your S3 bucket in the list of buckets when you’re logged into the AWS console. It’s important to check on that from time to time. We certainly will as part of our audit. We will be looking to see if all of the buckets that are labeled as “Public Access” should have public access.

Of course, use cases vary. One of the obvious examples of a bucket that should be publicly accessible is a bucket that is being used to serve up the static images of our website. Otherwise, graphics aren’t going to appear on our website. That’s one example where S3 buckets are being used for almost every kind of data that you could possibly conceive. It’s important to make sure that you have proper configurations, proper policies applied to those S3 buckets. You can take advantage of some of the resources out there, The Center for Internet Security AWS Benchmark gives some instruction on how to check for that. There are various tools out there, like AWS Prowler, that we use extensively in our own audits. We’ll help you find those. Logging into the console, which you should be doing on some regular basis and in some way evaluating whether or not any of your buckets have been configured for public access and making sure that’s the way that it really should be.

Preventing Publicly Available S3 Buckets

Related Videos

AWS Controls for Implementing a DMZ

Authenticate and Authorize Users with Client Certificates

Avoid Using Default Service Account When Configuring Instances

Best Practices for Container Security

Best Practices for Secret Management

Configuring Network Border Controls

Consistently Manage User Accounts with OS Login

Create a Minimal Audit Policy for Logging

Do Not Enable Serial Ports for VM Instance

Do Not Use Project-Wide SSH Keys When Authenticating Instances

Do Not Use RSASHA1 for DNSSEC Key-Signing Keys

Enable DNSSEC to Protect DNS Protocols

Enable HTTPS Connections on App Engine Applications

Enable Shielded VM to Ensure Operating System is Trustworthy

Enable VPC Flow Logs for Every Subnet

Encrypt BigQuery Datasets with Customer Managed Encryption Key (CMEK)

Ensure BigQuery Datasets Are Not Publicly Accessible

Ensure Cloud Storage Buckets Are Not Publicly Accessible

Ensure Container Network Interfaces Support Network Policies

Ensure GKE Nodes are Configured Properly

Ensure Kubernetes Idle Timeout Parameter is Appropriately Set

Ensure No Weak SSL Cipher Suites Are Permitted

Ensure Only Authorized Users Can Create Security Groups

Ensure to Restrict SSH Access from the Internet

GKE Cluster Configuration Security Benchmarks

General Policies for Cluster Management

Harden Cloud SQL Database with Logging

House Accounts in CloudTrail

How To Configure Your Cluster Networks

How to Configure Kubelet Within Your Environment

How to Restrict Public Access to S3 Buckets

How to Use S3 Bucket Policies

IP Forwarding Should Not Be Enabled for Instances

Image Registry and Scanning Best Practices

Industry Best Practices for Configuration Standards

Introduction to AWS Network Firewall

Introduction to AWS WAF and Shield

Introduction to Amazon EKS

Introduction to PCI DSS Requirement 1

Introduction to PCI Requirement 2.mp4

Leverage Confidential Computing to Protect Data

Manage Access Securely Using Uniform Bucket-Level Access

Meeting Firewall and Router Configuration Standards

Migrate Away from RSASHA1 for DNSSEC Zone-Signing Keys

Migrate Legacy Networks to VPC Networks

Minimize Public IP Address on Compute Instances

Minimize Root and SA Account Access in Cloud SQL

Network Segmentation for AWS

Networking Configurations in Kubernetes Environment

Node MetaData Recommendations in GKE

PCI DSS Requirement 1.1.1 - Implementing a Change Control Program

PCI DSS Requirement 1.1.2 and 1.1.3 - Network Documentation Best Practices

PCI DSS Requirement 1.1.4 - Establishing a Firewall and DMZ

PCI DSS Requirement 1.1.5 Defining Roles and Responsibilities for Managing Network Components

PCI DSS Requirement 1.1.6 Documentation of Business Justification & Approval for use of all Services, Ports and Protocols

PCI DSS Requirement 1.1.7 - Review Firewall and Router Rule Sets

PCI DSS Requirement 1.2 Restrict Connections to Untrusted Networks

PCI DSS Requirement 1.2.1 Restrict Traffic to that which is Necessary

PCI DSS Requirement 1.2.2 Secure and Synchronize Router Configuration Files

PCI DSS Requirement 1.2.3 Install Firewalls Between all Wireless Networks and the CDE

PCI DSS Requirement 1.3.1 - Establishing a DMZ

PCI DSS Requirement 1.3.2 Limit Inbound Internet Traffic

PCI DSS Requirement 1.3.3 - Implement Anti Spoofing Measures

PCI DSS Requirement 1.3.4 - Deny Unauthorized Outbound Traffic

PCI DSS Requirement 1.3.5 - Permit Only Established Connections into the Network

PCI DSS Requirement 1.3.6 Segregate the CDE from the DMZ

PCI DSS Requirement 1.3.7 Do Not Disclose Private IP Addresses

PCI DSS Requirement 1.4 Install Personal Firewall Software

PCI DSS Requirement 1.5 Ensure Security Policies are Known to all Affected Parties

PCI Requirement 2.1 - Always Change Vendor-Supplied Defaults

PCI Requirement 2.1.1 - Change all Wireless Vendor Defaults

PCI Requirement 2.2 - Develop Configuration Standards for all System Components

PCI Requirement 2.2.1 - Implement Only One Primary Function Per Server

PCI Requirement 2.2.2 - Enable Only Necessary Services, Protocols and Daemons

PCI Requirement 2.2.3 - Implement Additional Security Features

PCI Requirement 2.2.4 - Configure System Security Parameters to Prevent Misuse

PCI Requirement 2.2.5 - Remove all Unnecessary Functionality

PCI Requirement 2.3 - Encryption