Win a copy of Rust Web Development this week in the Other Languages forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

AWS Security: S3 storage security

 
Author
Posts: 76
7
Redhat Notepad Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi again,

One of the biggest problems in AWS (from looking at security breach reports) has always been S3 publicly accessible by accident or having wildcard resources in the policy. What would you recommend to a company that has been using S3 for many years, has tons of buckets and they would like to be continuously assured that there is no security risk?

It would be good to add these S3 guidelines to your book as this question comes up quite often from my experience.

Thank you in advance for your response.
 
Lucian Maly
Author
Posts: 76
7
Redhat Notepad Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, that is quite a comprehensive list and they are doing most of these things from what i can see - but they could improve their AWS Config rules, so thanks for that!
 
author & internet detective
Posts: 40913
840
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We had a technical problem and lost the post Lucian is replying to. Text is here:

Amazon Simple Storage Service (S3) provides a number of security features to consider as you develop and implement your own security policies. I recommend you focus on the following best practices for Amazon S3 can help prevent security incidents:
* Ensure that your Amazon S3 buckets use the correct policies and are not publicly accessible
- Identify and audit all your Amazon S3 buckets
- Implement monitoring using AWS monitoring tools
- Enable Amazon S3 server access logging
- Use AWS CloudTrail
- Enable AWS Config (s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited managed AWS Config Rules)
- Consider using Amazon Macie with Amazon S3
- Use AWS Trusted Advisor
* Implement least privilege access
* Use IAM roles for applications and AWS services that require Amazon S3 access
* Enable multi-factor authentication (MFA) Delete
* Consider encryption of data at rest (Client-side as well as server-side)
* Enforce encryption of data in transit
* Consider S3 Object Lock
* Enable versioning
* Consider Amazon S3 cross-region replication
* Consider VPC endpoints for Amazon S3 access

As you mentioned, the first one is the most important. Unless you explicitly require anyone on the internet to be able to read or write to your S3 bucket, you should ensure that your S3 bucket is not public. The following are some of the steps you can take:
* Use Amazon S3 block public access: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
* Identify Amazon S3 bucket policies that allow a wildcard identity such as Principal "*" (which effectively means "anyone"), similarly note Amazon S3 bucket access control lists (ACLs) that provide read, write, or full-access to "Everyone" or "Any authenticated AWS user."
* Use the ListBuckets API to scan all of your Amazon S3 buckets.

 
Author
Posts: 9
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Lucian,

You're definitely right that accidentally publicly accessible buckets is a common issue. There are a few things you can use to combat this. The first is that if all your S3 buckets in your account/organization should be private, then you can block all public access for your account: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access.html.

Usually it's not that simple and there's a reason some buckets need public access. For this I like to use AWS Config Rules to identify buckets with public read access using the "s3-bucket-public-read-prohibited" rule. This can alert you to any buckets that are publicly accessible. This Config Rule is also part of the AWS Security Hub Standards, which will generate Security Hub Findings for publicly accessible buckets and many other common issues.

If you want to go even further, you can use Amazon Macie. This is a tool that checks for S3 misconfiguration issues like public read/write access, and classifies the data within the bucket. This can give you higher quality results, for example it would generate a higher severity alert when it finds a publicly accessible bucket with credit card information in it.

You also mentioned policies with wildcard access. There's a Config Rule for this as well: "iam-policy-no-statements-with-admin-access".

Config Rules (and combining them with AWS Security Hub) is really great for continuously monitoring for security violations. Rather than manually searching for misconfiguration every once in a while, these will alert you as soon as it happens.

Dylan
 
Lucian Maly
Author
Posts: 76
7
Redhat Notepad Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you "real" Dylan!
 
WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic