This content is part of the Conference Coverage: A complete guide to AWS re:Invent 2019

Conference Coverage

Browse Sections

AWS Access Analyzer aims to limit S3 bucket exposures

Amazon Web Services introduced the Access Analyzer tool at its re:Invent event. The new option aims to help users avoid accidentally exposing data stored in S3 buckets.

Amazon Web Services is taking another crack at mitigating S3 bucket misconfigurations and data exposures with a new tool called IAM Access Analyzer.

Announced at the re:Invent conference in Las Vegas, IAM Access Analyzer will be part of the AWS Identity and Access Management (IAM) console. The tool will alert users when an S3 bucket is configured to be publicly accessible and will offer a one-click option to block public access to ensure no unintended access.

"When reviewing results that show potentially shared access to a bucket, you can Block All Public Access to the bucket with a single click in the S3 Management console, configure more granular permissions if required, or for specific and verified use cases that require public access, such as static website hosting, you can acknowledge and archive the findings on a bucket to record that you intend for the bucket to remain public or shared," Shasya Sharma, senior technical product manager for AWS, wrote in a blog post.

The IAM Access Analyzer console will group all publicly accessible buckets and show users whether this access is a result of an access control list (ACL), policy setting or both, as well as what permissions are enabled for that bucket. 

AWS buckets are private by default, but that hasn't stopped a series of high-profile data exposures due to misconfiguration, including exposures involving data from the Department of Defense, Verizon and more. AWS has been trying for two years to mitigate S3 bucket exposures, beginning with making it clearer when buckets were public, sending emails to owners of public buckets, introducing new settings to batch change bucket settings, and adding new tools.

AWS announced Control Tower at a re:Invent conference in Boston earlier this year as a landing page for some of these tools, such as AWS Config, which allows users to set standardized rules for S3 buckets and receive alerts if a new bucket is deployed that isn't consistent with those rules.

Chris Vickery, director of cyber risk research at UpGuard, based in Mountain View, Calif., who has found a number of exposed S3 buckets, said IAM Access Analyzer "is definitely a step in the right direction," but may not see wide adoption.

"The most notable aspect being that you have to know it exists and proactively turn it on," Vickery told SearchSecurity. "Entities with massive already-existing configurations and systems may be hesitant to change things even if problems are detected, for fear of breaking the overall functionality.

"There is also the aspect of smaller operations, without sophisticated IT staff, feeling a bit overwhelmed with all the tech language, ID strings and other output," Vickery added. "Those types of people want to simply know 'Am I in trouble? Yes or no?' It's a complicated situation because Amazon doesn't inherently know the purpose of each customer's use."

Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues