Top 5 Amazon S3 Bucket Misconfigurations and How to Monitor Them
Table of contents
Amazon S3 are the backbone storage solution for AWS. S3 buckets allow users to store, access, retrieve, and back up any amount of data at any given time. It is an object-based storage service, meaning that it keeps all data as objects. Since all data must be stored in S3 buckets, S3 bucket security should be top of mind to secure an organization's sensitive data.
A small error in S3 configurations can lead to devastating data exposures and a giant loophole for attackers. Therefore, in this article, we’ll touch upon the most common Amazon S3 bucket misconfigurations, along with the risks they pose and how much of the security responsibility lies on your side.
What does your security responsibility include, according to AWS?
Like many other clouds and SaaS services, AWS relies on a shared responsibility model for security. While Amazon keeps up security as the highest priority, there are certain precautions expected on the user side. Some of them include:
- Data management, including encryption and object ownership
- Access management to your data (using IAM roles and other service configurations)
- Classifying assets
- Using AWS CloudTrail or Amazon GuardDuty for S3 or other detective controls such as AWS Config
Amazon S3 Misconfiguration Risks
Misconfigurations are a minefield for security, and it is evident in recent cases of breaches.
- An Amazon S3 bucket owned by a logistics company was left accessible without proper authorization controls. This breach exposed sensitive data related to the company's shipments and its clients, consisting of some Fortune 500 organizations. (Report)
- An S3 bucket that contained around 1.5 million files was leaked due to misconfiguration. The leaked files comprised airline employee PII, national ID numbers, and other sensitive data. (Report)
As you can see, Amazon S3 bucket misconfiguration is the common denominator in these cases and many others. Although Amazon made S3 buckets private by default, data exposure is still a threat that should be taken seriously. Actions like tampering or unintended configurations could strike a heavy blow on your security posture.
- Data loss
- Data exposure
- Compliance violations
- Security breach
- Financial loss
You might also like to read Hottest Trend in Cybersecurity: Why CAASM.
5 Common Amazon S3 Bucket Misconfigurations
1. S3 Buckets with Public Read and Write Access via ACLs
Allowing public read access is a risk that can lead to unauthorized access to your Amazon S3 buckets. Disabling public read access also contributes to your compliance efforts with many acknowledged frameworks such as NIST, PCI, GDPR, and MAS. Back then, before IAM and bucket policies, ACLs were used to share buckets that caused many exposures. Although they are still not recommended, technical debt is always there.
Related query in Resmo
SELECT DISTINCT bucket.name, bucket.region, bucket.accountId FROM aws_s3_bucket bucket, bucket.acl.grants as grants WHERE grants.uri = 'http://acs.amazonaws.com/groups/global/AllUsers' AND (grants.permission = 'FULL_CONTROL' OR grants.permission = 'READ_ACP')
Data breaches often come into the spotlight, putting many companies and AWS in a weird spot; AWS also introduced additional safeguards to block public access to your buckets. These settings override whatever is on the bucket policy or ACLs and make you a bit secure.
Related query in Resmo
SELECT * FROM aws_s3_account_level_public_access_block
Public write access is another S3 bucket misconfiguration that can lead to data loss and security breaches. An S3 bucket with public write access means that you grant write access, including upload or delete to anyone on the internet. They can add, delete or replace objects within your S3 buckets without restriction. Of course, malicious users' uploads, deletes, and modifications may also cause unexpected charges on your AWS bill.
Related query in Resmo
SELECT DISTINCT bucket.name, bucket.region, bucket.accountId FROM aws_s3_bucket bucket, bucket.acl.grants as grants WHERE grants.uri = 'http://acs.amazonaws.com/groups/global/AllUsers' AND (grants.permission = 'FULL_CONTROL' OR grants.permission = 'WRITE_ACP')
2. S3 Buckets Public Access via Policy
While users can change the accessibility and privacy of their S3 buckets in the bucket policy, the recommended best practice is disabling public read access. Publicly accessible S3 buckets mean that they are accessible to other AWS users and consequently, so is your data stored in them. This may lead to misuse of your data, or in another scenario; users might leave S3 buckets containing sensitive data publicly accessible without even noticing.
Related query in Resmo
SELECT name, region, accountId FROM aws_s3_bucket WHERE policyStatus.isPublic
3. S3 Buckets without Server-Side Encryption
Amazon S3 buckets should enforce SSE (server-side encryption) to keep sensitive data secure. Once you set up proper access controls, it might seem highly unlikely that someone would access AWS data centers or drives to access raw data; it never hurts to be prepared. You can use Amazon S3-managed keys (SSE-S3) for ease of use to make sure you are compliant with many frameworks. It’s free of charge.
You can take it one step further and use AWS KMS keys stored in AWS Key Management Service (AWS KMS) and set a policy on how that KMS key is used that reflects and enforce your internal company policies. However, this might be costly if your bucket has enormous write or read activity. This is one of the make-or-break aspects of major compliance standards, including SOC2, GDPR, HIPAA, PCI, NIST, APRA, and MAS.
- SELECT name, region, accountId, sseAlgorithm FROM aws_s3_bucket WHERE sseAlgorithm = 'AES256'
- SELECT name, region, accountId, sseAlgorithm FROM aws_s3_bucket WHERE sseAlgorithm = 'aws:kms'
Not encrypted at all:
SELECT name, region, accountId, sseAlgorithm FROM aws_s3_bucket WHERE sseAlgorithm IS NULL
4. S3 Bucket Access Logging Disabled
Not checking that an S3 bucket access logging is enabled on the CloudTrail S3 bucket is one of the most common misconfigurations in AWS S3. Amazon S3 is integrated with CloudTrail, which records actions taken by a user, role, or an Amazon service on your AWS S3. In addition, it also logs a subset of API calls for S3 as events so that you'll be able to track your event history.
Access logs are essential in all compliance frameworks/standards. And in most cases, you should be collecting them and storing them for varying from a month to a year. Moreover, you can get closer to complying with standards like NIST, HIPAA, SOC2, GDPR, CIS, PCI, and MAS by fixing this misconfiguration.
5. S3 Versioning Disabled
- S3 can keep versions for you
- Helpful to revert changes
- Be sure to set up a bucket lifecycle policy to delete old versions; otherwise, all your updates would remain and the bill would be high.
- Not really required for all buckets, such as image uploads for a social media application, but where you store some sensitive and critical data.
As a bonus, you can also consider S3 Object Lock, which prevents deletion, but this is a slightly advanced feature.
Continuously Monitor Your S3 Buckets with Resmo
Malicious threat actors can easily exploit misconfigurations, unexpected asset changes, creations, and deletions. While this may come as negligible, in the worst-case scenario, unmonitored, leaky S3 buckets expose your data and those of your clients. Data breaches also account for financial losses as well as reputational damage.
AWS provides numerous practices to ensure proper authentication and access. However, improving cloud security is challenging without knowing all your assets. The good news is that Resmo can help you gain visibility across your organization's cloud assets, including S3. To protect your S3 buckets against misconfigurations and security gaps using Resmo, you can:
- List down all your S3 buckets.
- Track any change that occurs to accelerate debugging
- Set up rules to automatically check your S3 bucket security and compliance
- Query across your entire cloud asset inventory
- Collect compliance evidence
How to Query Your S3 Buckets in Resmo
- Sign in or sign up for a Resmo account.
- Click Queries and type "S3" to make related managed queries appear. Or filter by integrations>AWS.
- Select one to use and Run Query.
- Another option is running a custom query as in the image above. For example, you can query your S3 buckets in the US region by typing;
SELECT * FROM aws_s3_bucket WHERE region = 'us-west-2'
Resmo uses standard SQL language to keep the learning curve to a minimum. Bonus Tip: To query your S3 bucket changes, add '_changes' to your resource key.
For further information on resources, integrations, and queries, visit Resmo developer documentation.
How to Monitor Your S3 Bucket Resources
- On your Resmo account, navigate to Resources.
- Type S3 or AWS in the search bar to look up related resources.
- Then, select S3, and you'll see an overview of your S3 buckets.
- Click each to monitor their details, such as a summary, JSON file, and change records.
As easy as that! Plus, you can sign up to Resmo today and start your free trial. Then, you'll be able to put a lid on any leaky bucket you have.