Get Your AWS S3 Buckets To A Secure State

This year has seen many high profile breaches caused by misconfigured S3 buckets, yet the breaches keep happening. You’d think that users would see these stories about S3 buckets that are open to the world, and take measures to be sure that their own are locked down to avoid becoming the next victim. And, perhaps they do. However, as changes are made to AWS cloud environments, misconfigurations often arise, and your cloud infrastructure begins to drift away from the best practices and original settings. That’s why continuous monitoring of your cloud environments is so important, and every ESP account comes with an AWS S3 Bucket Fitness Report so you can see the state of your S3 bucket security.

Don’t Share Lists of Your Buckets & Policies

There are settings in AWS that allow you to determine who can view lists of your S3 buckets, and who can see and edit your Access Control Lists (ACLs). If your buckets have those settings set to give “All AWS Users” access, you are setting yourself up to be compromised. With global ACL permissions on, you allow anyone to grant wide permissions to your content, at best, you give them a detailed treasure map of which buckets may contain interesting data.

Lock-down Access to Objects in Your S3 Buckets

AWS S3 security configurations allow you to set the GET permission to allow global access to the objects in your S3 buckets. With Global GET enabled, any unauthenticated user can retrieve the data from a S3 bucket if they can guess your namespace. With ESP continuous monitoring, you can be sure that no one has inadvertently set the permission for your S3 buckets to enable anyone to add, update or remove the content of your S3 buckets. In the course of just 5 S3 bucket breaches in 2017, over 200 Million records were breached because the GET permission was not locked down. Don’t add your organization’s name to that list.

Don’t Let Just Anyone Place Objects in Your S3 Buckets

While the breaches that make the news are all about hackers getting access to remove data, hackers putting data into your S3 buckets can be equally dangerous to your organization. If the Global PUT permission is enabled on any of your S3 buckets it means that anyone can place information into your S3 buckets. This may seem harmless, but someone with malicious intent could place content that would be harmful or embarrassing to your business into your buckets. It is best to only allow authorized users and systems to PUT to your S3 buckets.

Who Deleted My S3 Buckets?

If someone can guess your namespace, and you have Global DELETE permissions enabled on your S3 buckets, your data could be wiped out. For that reason, we recommend that you take steps to ensure that only authorized users have permission to delete your buckets to prevent malicious or accidental deletions. Requiring Multi Factor Authentication (MFA) to delete your S3 buckets also provides an added layer of protection to ensure that your CloudTrail logs or other sensitive data can not be removed by an unauthorized user.

Versioning & Logging for the Win

For added S3 bucket security, we recommend that you enable versioning and logging on your S3 buckets. With Versioning turned on, you will protect your organization from incidents where the data in your S3 bucket has been overwritten or deleted. By default, versioning is not turned on for your S3 buckets, so you have to actively make that change. With audit logging of your S3 buckets enabled, you will be able to get the details insight into bucket activity. The logs are an important tool when troubleshooting issues, or investigating an incident. Logging cannot be enable retroactively, so it is important to be collecting your audit logs as you set up your S3 buckets.