Amazon S3 buckets have been at the heart of over a thousand security breaches over the last 4 years alone. Most recently, thousands of cell phone bills for Sprint, AT&T, Verizon, and T-Mobile customers were exposed through an open S3 bucket due to the oversight of a contractor working for one of the cell giants. So what are Amazon S3 buckets and what can organizations using S3 buckets do to avoid being the next headline? In this blog post, we will walk through the basics of Amazon S3, and cover some necessary security practices S3 users should follow.
What is Amazon Web Services (AWS) S3
Amazon Simple Storage Service (or Amazon S3) is a service offered by AWS that provides object storage through a web interface with the goal to make web-scale computing easier for developers. This service enables organizations of all sizes and across various industries to store large amounts of data for a variety of use cases including websites, mobile applications, disaster recovery, and big data analytics.
Organizations are turning to storage providers like Amazon to reduce the costs associated with on-premise storage such as the high cost of rent and the personnel necessary to maintain and restore related hardware. By moving to cloud storage, this cost reduces significantly. Amazon offers a wide range of cost-effective storage classes that supports different data access levels at corresponding costs, allowing customers to save costs by storing infrequently accessed data in lower tiers.
AWS S3 Basics
Amazon leverages a flat, non-hierarchical structure, storing data as objects within buckets. Below are some of the most important basic concepts of S3.
- Buckets serve as the containers for objects and provide the mechanisms necessary to control access to them
- An object is not only the file that is being uploaded but can also include the metadata attributes that describe the file
- Access points are named network endpoints that are attached to buckets that can be used to perform S3 object operations. Each access points have distinct permissions and network controls that are applied to any request made through that access point.
- Bucket Policies provide granular controls to buckets and the objects stored within buckets.
- Access Control Lists vary from policies in that they can add grant permissions on buckets or on individual objects
- AWS Identity and Access Management provides additional management of how users can access S3 resources
What is Public Access in S3
The key to most if not all of the security breaches within S3 buckets is due to the public access configurations set on the buckets or objects. Allowing public access allows access to virtually anyone in the entire world, granted they have the unique ARN of the specific bucket or object.
This type of access can be granted through several different mechanisms, with the primary methods described below.
Bucket ACLs can provide granular controls that can be applied on a bucket, including READ, READ_ACP, WRITE, WRITE_ACP, and FULL_PERMISSION. However, canned ACLs are also available which provides an easy way to set up global permissions in one shot. By default, the PRIVATE ACL is applied to newly created buckets, but end users can also apply the PUBLIC-READ canned policy which essentially creates a public bucket.
These permissions are specified for a specific grantee, which can be a user or a group. The group can be any of the following: AuthenticatedUsers, AllUsers, and Logdelivery. The best practice is to avoid granting permissions to the AuthenticatedUsers or AllUsers groups.
Regardless of whether the bucket ACL is set to PRIVATE, a bucket policy can be used to override this and essentially make the whole bucket public. In terms of the permissions granted to an S3 bucket, bucket policies are evaluated first followed by the bucket ACL.
Objects ACLs provide similar granularity as Bucket ACLs but only apply to the individual objects they are applied to. You can make specific objects public even though the bucket ACL is set to private, although accessing these “publically accessible” objects require knowing the full path to it. If an object’s unique identifier is explicitly blocked in a higher policy, then the request is blocked. Otherwise, the object ACL is evaluated.
Block Public Access to AWS S3
Amazon has introduced features that can be used to block unauthorized users from access data stored within S3. One of the primary methods is the S3 Block Public Access settings available within the Amazon S3 Management Console.
As displayed in the screenshot above, there are four basic options available to limit public access within your account.
- Block public access to buckets and objects granted through new access control lists (ACLs): This setting will prevent the creation of new ACLS that permit public access, without impacting existing buckets.
- Block public access to buckets and objects granted through any access control lists (ACLs): This setting will prevent the creation of new ACLS that permit public access and will override existing bucket ACLs that permit public access.
- Block public access to buckets and objects granted through new public bucket or access point policies: This setting will prevent the creation of future IAM policies that permit public access, without impacting existing buckets.
- Block public and cross-account access to buckets and objects through anybucket or access point policies: This setting will prevent the creation of future IAM policies that permit public access and will override existing policies that permit public access.
While these settings can be set at the account level, they can also be applied for individual access points and buckets. Before applying these settings, end-users should ensure that their application will work correctly without public access. Ultimately, the easiest way to prevent unwanted public access to your AWS account is to enable all of these configuration options at the account level.
If Public Access Cannot Be Disabled at the Account Level…
It’s very possible that your applications require some level of public access, such as for hosting a static website. In these cases, there are some basic practices that can be followed to avoid unauthorized access to your data stored within S3
- Instead of blacklisting specific individuals, apply whitelisting to only provide access to the necessary individuals.
- Apply write permissions sparingly, avoiding applying these types of permission to groups such as Authenticated Users or All Users.
- Use tools such as the Access Analyzer for S3 to monitor bucket access policies to ensure that the applied policies are providing only the intended access to your S3 resources.
- Focus on protecting your most sensitive data, which can be identified using tools such as Amazon Macie or third-party tools that can assist with sensitive data discovery such as StealthAUDIT.
Cloud storage platforms such as Amazon S3 are great and cost-effective options for organizations to leverage to offload the typical burden that comes along with data storage. However, as with any other data storage repositories, the proper security controls need to be put in place in order to minimize the associated risks. While Amazon provides several tools to help control security and reduce risk, third party solutions like StealthAUDIT can be leveraged to ensure the right people have the right access to the right data. Learn more about STEALTHbit’s Data Access Governance solutions here: https://www.stealthbits.com/data-access-governance-solution
Farrah Gamboa is a Director of Technical Product Management at Stealthbits Technologies. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University