alphaspirit - Fotolia
Leaky Amazon S3 buckets can expose sensitive customer and employee data, passwords and internal business documents. Since 2017, there has been an overwhelming number of sensitive data disclosure scenarios and breaches involving misconfigured and publicly available Amazon S3 buckets. Security professionals likely remember incidents that left organizations involved in hot water, including the following:
- A Verizon partner leaked personal records of more than 14 million Verizon customers in 2017. Names, addresses, account details and even account PINs were exposed in several cases.
- An Amazon S3 bucket leaked the personal details of more than 198 million American voters in 2017. The database contained information from three data mining companies known to be associated with the Republican Party.
- The internet service provider PocketiNet left 73 GB of incredibly sensitive data in an exposed S3 bucket in late 2018. Data included cleartext passwords, AWS keys and network diagrams.
While these exposures are bad, the worst might be the Los Angeles Times exposing its site source code in S3 in February 2018, where an attacker edited the code to include cryptocurrency mining functions.
According to research from McAfee, 7% of S3 buckets are wide open to the world, and another 35% are not using encryption, which is built into the service. As organizations move more workloads into cloud environments, security professionals continue to see stories about exposed S3 buckets. Some may wonder how this keeps happening. In all likelihood, organizations may be unaware of the wide range of security controls available to help achieve S3 bucket security.
Restrict access to S3
It is important to note that Amazon S3 buckets start out secure by default. It is true: S3 buckets are private until policies or permissions are changed that enable public access. A hierarchical set of permissions can be set to grant access to Amazon S3 buckets and objects within the folders, known as keys. Only an account owner and resource creator have access to a bucket and key by default.
One of the most important access controls offered by AWS for S3 is the block public access function. The easiest way to completely disable all public access to buckets is through the AWS console or command line. This overrides bucket-specific identity and access management (IAM) policies or object permissions. If you do need some specific items or buckets to have public access -- or more granular access from internal resources -- security teams can create bucket-specific IAM policies or wider-scale IAM policies for users, groups and roles within the AWS environment.
While these policies are the most programmatically scalable way to control S3 bucket and object access, you can also create S3 access control lists that can be used to provide permissions similar to file share servers -- for example, full control or read/write permissions -- to AWS accounts or a set of predefined groups. To grant explicit permission to an object or to upload keys, security teams can use query string authentication and URL-based access. However, these should be used sparingly for specific use cases. Security teams can also require multifactor authentication use in order to access certain S3 APIs or restrict attempts to delete S3 objects.
S3 data protection methods
Amazon S3 supports HTTPS for secure transport of objects to and from buckets. All AWS API tools and SDKs also employ HTTPS by default. Amazon has extensive options for data encryption at rest within S3. AWS Server-Side Encryption can be enabled using S3-managed encryption keys that are managed and controlled by the service, customer master keys created automatically within AWS Key Management Service, or customer-supplied keys that are imported into KMS. S3-managed and default KMS keys can be applied to all S3 buckets as a default configuration.
Data lifecycle policies can be enabled within S3 to automatically delete data after a specified time period.
Monitor your S3 buckets
To ensure S3 bucket security, enable adequate monitoring within the AWS environment to track both bucket- and object-level activity. AWS CloudTrail records all actions related to S3 buckets. However, security teams must explicitly enable S3 data events logging within CloudTrail to record logs of any object activity within the buckets themselves.
AWS also supports detailed logs on requests to S3 buckets through S3 server access logging. This can be enabled on each bucket. Teams must designate another S3 bucket as the log destination. AWS Config has a number of S3 monitoring policies that can alert security and operations teams when access controls, logging and data protection controls are not properly configured.
AWS has many available options for locking down and monitoring S3. It is critical that cloud engineering, operations and security teams learn the various options in order to maintain S3 bucket security.