Understanding and Securing Your S3 Public Bucket

Author

Reads 170

Crop faceless kid in black witch costume standing with bucket on Halloween in autumn day near stair and bushes
Credit: pexels.com, Crop faceless kid in black witch costume standing with bucket on Halloween in autumn day near stair and bushes

Having a public S3 bucket can be a double-edged sword - it allows for easy sharing and collaboration, but also exposes your data to the public internet. This is especially concerning if you're storing sensitive information.

To make matters worse, S3 public buckets are often overlooked and forgotten, leaving them exposed for extended periods of time. A staggering 30% of S3 buckets are left public by default, making them vulnerable to unauthorized access.

Securing your S3 public bucket requires a combination of best practices and vigilance. By understanding the risks and taking proactive steps, you can protect your data and maintain the benefits of a public bucket.

Understanding S3 Public Bucket

S3 public buckets can lead to data leaks or ransomware due to publicly exposed storage.

If a bucket policy allows IAM actions from any principal, it essentially makes the bucket public, giving attackers read/write access to the bucket contents.

Remediation and Resolution

Credit: youtube.com, How To Solve Amazon S3 Object Access Denied | AWS

To deny public access to your Amazon S3 buckets, you need to remove or modify the bucket policy to prevent public access.

Remove any bucket policies that allow public access to your S3 buckets.

Enabling an account-wide public access block is another option to ensure no S3 bucket in your AWS account is public.

You'll need to repeat the process for each publicly accessible Amazon S3 bucket in your AWS cloud account.

Repeat steps to deny public access for each publicly accessible Amazon S3 bucket.

By following these steps, you can effectively remediate vulnerable resources and prevent public access to your S3 buckets.

Security and Permissions

S3 buckets can have various permissions, including public-read, public-write, and full permission, which can be granted to entities like AuthenticatedUsers and AllUsers.

To make a bucket public, you can use canned policies like public-read, or apply specific policies to grant access to specific entities. Canned ACLs provide an easy way to set up global permissions, but you can also apply specific policies to grant or deny access to specific entities.

Credit: youtube.com, Amazon S3 Access Control - IAM Policies, Bucket Policies and ACLs

The five permissions that can be granted are READ, READ_ACP, WRITE, WRITE_ACP, and FULL_PERMISSION. These permissions can be applied to every object on the bucket and the bucket itself, or just to the ACLs.

Here are some entities that can be granted permissions:

  • AuthenticatedUsers
  • AllUsers
  • LogDelivery

As a security best practice, you should watch out for AuthenticatedUsers and AllUsers groups.

The Permission Model

The Permission Model is a crucial aspect of Amazon S3 security. It determines who can access your buckets and objects.

There are two main types of permissions: Bucket ACLs and Bucket Policies. Bucket ACLs are a way to set up global permissions in one shot, and they can be applied using canned policies or specific policies. Canned ACLs provide an easy and quick way to set up global permissions, but specific policies can be used to grant or deny access to specific entities.

The five permissions that can be granted are READ, READ_ACP, WRITE, WRITE_ACP, and FULL_PERMISSION. These permissions apply to every object on the bucket and can be used to grant or deny access to specific entities.

Explore further: S3 Bucket Permissions

Credit: youtube.com, Build a Permission Set Led Security Model | Admin Best Practices

A Grantee is an object who holds three or four basic pieces of information: the type of the grantee (CanonicalUser or Group), the XML XSI schema, and the ID or URI. Grantees can be entities such as AuthenticatedUsers, AllUsers, or LogDelivery.

Here are the five permissions that can be granted:

  • READ
  • READ_ACP
  • WRITE
  • WRITE_ACP
  • FULL_PERMISSION

As a security best practice, you should watch out for AuthenticatedUsers and AllUsers groups. These groups can be used to grant or deny access to specific entities, but they can also be used to make your bucket public.

Bucket Policies are a more complex way to allow or disallow actions on the bucket's objects. They can be used to make the whole bucket public, even if the bucket is created with a canned ACL that sets it to private.

Virtual Hosted Request

Virtual host style URLs are the default way of referencing your objects.

In a virtual-hosted-style URI, the bucket name is part of the domain name in the URL. This format is used for the object we just uploaded, with the virtual-hosted-style URL being the default reference.

Black and White Border Collie Puppy in Brown Metallic Bucket
Credit: pexels.com, Black and White Border Collie Puppy in Brown Metallic Bucket

The virtual hosted style access doesn’t work with dot in the bucket names. This is because dots in your bucket name create what appears to be multiple subdomain levels, which a single wildcard certificate doesn’t cover.

A single wildcard certificate can't cover multiple subdomain levels, which is a limitation of virtual hosted style access.

A different take: Aws S3 Certificate

Who to Blame in Public?

In public S3 buckets, it's not just the user's fault. An inexperienced person can accidentally make a bucket public by checking the wrong box in the "Permissions" section.

Amazon explicitly warns users about public buckets in the Management Console. If a developer claims they didn't know the bucket was public, don't trust them.

Small misconfigurations can lead to huge security vulnerabilities, especially in mature products. This is a common issue that arises when developers implement features without considering security.

Amazon alerts users every time they view the Management Console that their bucket is public. It's surprising how often this warning is ignored.

Related reading: Secure S3 Bucket

Detection and Audit

Credit: youtube.com, Detect AWS S3 Public Buckets using Splunk

To detect public buckets, you can use the command line to create a bucket with a public-read policy, and then inspect the trail for the specified event name, request parameters, and username.

The CLI command to create a bucket with a public-read policy is used to create a public bucket with such policies. The event name is CreateBucket, and the request parameter x-amz-acl is set to public-read.

The username is the assumed role, not the user who assumed that role, making attribution harder.

You can build a query to catch this by specifying the CreateBucket event action, parsing fields to apply logic, and using a where clause to detect public-read ACLs.

Here's a breakdown of the query:

To audit, repeat the process for each Amazon S3 bucket you want to examine, available within your AWS cloud account.

Access and Management

Access to an S3 public bucket is granted by default to all users on the internet, making it accessible through the public internet.

Credit: youtube.com, AWS Pi Week 2021: Managing access to your Amazon S3 buckets and objects | AWS Events

To manage access to your S3 public bucket, you can use the AWS Management Console, the AWS CLI, or the AWS SDKs.

You can also use IAM policies to control access to your S3 bucket, by specifying which actions users can perform on the bucket.

To restrict access to your S3 public bucket, you can use a bucket policy to deny access to specific users or groups.

You can also use a CORS configuration to control how your S3 bucket responds to cross-origin requests.

To manage the permissions of your S3 bucket, you can use the AWS Management Console to add or remove users and groups, and to update the permissions of existing users and groups.

Readers also liked: Amazon S3 Static Site

Terraform and AWS

Terraform and AWS can be a powerful combination for managing S3 public buckets.

You can use Terraform to create and manage AWS resources, including S3 buckets, with a single configuration file.

Terraform allows you to define infrastructure as code, making it easier to version and collaborate on AWS configurations.

For another approach, see: Terraform Aws S3 Bucket

Credit: youtube.com, How to create S3 bucket using Terraform | Terraform AWS Cloud Tutorial

The `aws_s3_bucket` resource in Terraform can be used to create an S3 bucket, and the `aws_s3_bucket_public_access_block` resource can be used to control public access to the bucket.

To use Terraform with AWS, you need to install the Terraform AWS provider plugin and configure your AWS credentials.

The Terraform AWS provider plugin allows you to interact with AWS resources, such as S3 buckets, using Terraform's infrastructure as code model.

You can use Terraform to create an S3 bucket and grant public read access to it using the `aws_s3_bucket` and `aws_s3_bucket_public_access_block` resources.

This approach can help you manage S3 public buckets more efficiently and reliably.

Broaden your view: Terraform S3 Bucket Policy

Tiffany Kozey

Junior Writer

Tiffany Kozey is a versatile writer with a passion for exploring the intersection of technology and everyday life. With a keen eye for detail and a knack for simplifying complex concepts, she has established herself as a go-to expert on topics like Microsoft Cloud Syncing. Her articles have been widely read and appreciated for their clarity, insight, and practical advice.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.