Amazon S3 buckets have been at the heart of over a thousand security breaches over the last 4 years alone. Most recently, thousands of cell phone bills for Sprint, AT&T, Verizon, and T-Mobile customers were exposed through an open S3 bucket due to the oversight of a contractor working for one of the cell giants. So what are Amazon S3 buckets and what can organizations using S3 buckets do to avoid being the next headline? In this blog post, we will walk through the basics of Amazon S3, and cover some necessary security practices S3 users should follow.
Amazon Simple Storage Service (or Amazon S3) is a service offered by AWS that provides object storage through a web interface with the goal to make web-scale computing easier for developers. This service enables organizations of all sizes and across various industries to store large amounts of data for a variety of use cases including websites, mobile applications, disaster recovery, and big data analytics.
Organizations are turning to storage providers like Amazon to reduce the costs associated with on-premise storage such as the high cost of rent and the personnel necessary to maintain and restore related hardware. By moving to cloud storage, this cost reduces significantly. Amazon offers a wide range of cost-effective storage classes that supports different data access levels at corresponding costs, allowing customers to save costs by storing infrequently accessed data in lower tiers.
Amazon leverages a flat, non-hierarchical structure, storing data as objects within buckets. Below are some of the most important basic concepts of S3.
The key to most if not all of the security breaches within S3 buckets is due to the public access configurations set on the buckets or objects. Allowing public access allows access to virtually anyone in the entire world, granted they have the unique ARN of the specific bucket or object.
This type of access can be granted through several different mechanisms, with the primary methods described below.
Bucket ACLs can provide granular controls that can be applied on a bucket, including READ, READ_ACP, WRITE, WRITE_ACP, and FULL_PERMISSION. However, canned ACLs are also available which provides an easy way to set up global permissions in one shot. By default, the PRIVATE ACL is applied to newly created buckets, but end users can also apply the PUBLIC-READ canned policy which essentially creates a public bucket.
These permissions are specified for a specific grantee, which can be a user or a group. The group can be any of the following: AuthenticatedUsers, AllUsers, and Logdelivery. The best practice is to avoid granting permissions to the AuthenticatedUsers or AllUsers groups.
Regardless of whether the bucket ACL is set to PRIVATE, a bucket policy can be used to override this and essentially make the whole bucket public. In terms of the permissions granted to an S3 bucket, bucket policies are evaluated first followed by the bucket ACL.
Objects ACLs provide similar granularity as Bucket ACLs but only apply to the individual objects they are applied to. You can make specific objects public even though the bucket ACL is set to private, although accessing these “publically accessible” objects require knowing the full path to it. If an object’s unique identifier is explicitly blocked in a higher policy, then the request is blocked. Otherwise, the object ACL is evaluated.
Amazon has introduced features that can be used to block unauthorized users from access data stored within S3. One of the primary methods is the S3 Block Public Access settings available within the Amazon S3 Management Console.
As displayed in the screenshot above, there are four basic options available to limit public access within your account.
While these settings can be set at the account level, they can also be applied for individual access points and buckets. Before applying these settings, end-users should ensure that their application will work correctly without public access. Ultimately, the easiest way to prevent unwanted public access to your AWS account is to enable all of these configuration options at the account level.
It’s very possible that your applications require some level of public access, such as for hosting a static website. In these cases, there are some basic practices that can be followed to avoid unauthorized access to your data stored within S3
Cloud storage platforms such as Amazon S3 are great and cost-effective options for organizations to leverage to offload the typical burden that comes along with data storage. However, as with any other data storage repositories, the proper security controls need to be put in place in order to minimize the associated risks. While Amazon provides several tools to help control security and reduce risk, third party solutions like StealthAUDIT can be leveraged to ensure the right people have the right access to the right data. Learn more about STEALTHbit’s Data Access Governance solutions here: https://www.stealthbits.com/data-access-governance-solution
Farrah Gamboa is a Director of Technical Product Management at Stealthbits – now part of Netwrix. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University
Adopting a Data Access Governance strategy will help any organization achieve stronger security and control over their unstructured data. Use this free guide to help choose the best available solution available today!
Read more© 2022 Stealthbits Technologies, Inc.
That was a really good article on S3 specially handing security.I couldn’t agree more on the point that a misconfigured S3 bucket can lead to gig security breaches.Thanks for the great post.