DEV Community

Uendi Hoxha
Uendi Hoxha

Posted on

Best Practices for Securing Amazon S3 Buckets

###The Risks of Public S3 Buckets
Public S3 buckets can pose significant security risks due to improper configurations. When a bucket is publicly accessible, it allows anyone on the internet to view or manipulate the contents. This misconfiguration can lead to several critical issues.

There are some test buckets you can find here: https://buckets.grayhatwarfare.com/files?bucket=tempdev.s3-us-west-2.amazonaws.com. Notice how the content of the bucket is publicly accessible.

curl https://tempdev.s3-us-west-2.amazonaws.com/
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>tempdev</Name><Prefix></Prefix><Marker></Marker><MaxKeys>1000</MaxKeys><IsTruncated>true</IsTruncated><Contents><Key>3rdpartylicenses.txt</Key><LastModified>2018-05-03T02:32:47.000Z</LastModified><ETag>&quot;c27a89a617ae0a7660c490a46b8c9486&quot;</ETag><Size>12331</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>AvayaHome.7f45b5641004c88bd0ee.jpg</Key><LastModified>2018-05-03T02:32:50.000Z</LastModified><ETag>&quot;7f45b5641004c88bd0ee9d6b1330b90a&quot;</ETag><Size>850159</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>AvayaOffice.801610a579e808709ae0.jpg</Key><LastModified>2018-05-03T02:32:51.000Z</LastModified><ETag>&quot;801610a579e808709ae0338a3f0c39c1&quot;</ETag><Size>163750</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/.bower.json</Key><LastModified>2018-05-03T02:33:14.000Z</LastModified><ETag>&quot;38e89495d6f99665c32e21304ae50d12&quot;</ETag><Size>881</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/LICENSE</Key><LastModified>2018-05-03T02:33:16.000Z</LastModified><ETag>&quot;11c960a3f0bc008428616bffe574b258&quot;</ETag><Size>1094</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/bower.json</Key><LastModified>2018-05-03T02:33:14.000Z</LastModified><ETag>&quot;238c943fc3d1f3f8e92d75d47ef31ea7&quot;</ETag><Size>691</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/cheatsheet.html</Key><LastModified>2018-05-03T02:33:15.000Z</LastModified><ETag>&quot;fb33483329960f43204001c5cf5837c0&quot;</ETag><Size>1276366</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/component.json</Key><LastModified>2018-05-03T02:33:16.000Z</LastModified><ETag>&quot;0e29ebf1783312e96becd2fe4f0fe065&quot;</ETag><Size>429</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/composer.json</Key><LastModified>2018-05-03T02:33:16.000Z</LastModified><ETag>&quot;de83b956f2f9554252e2c316f6cb0c77&quot;</ETag><Size>887</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/css/ionicons.css</Key><LastModified>2018-05-03T02:34:23.000Z</LastModified><ETag>&quot;f27354b28af3cf48d28260c03305d0ce&quot;</ETag><Size>57193</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/css/ionicons.min.css</Key><LastModified>2018-05-03T02:34:23.000Z</LastModified><ETag>&quot;0d6763b67616cb9183f3931313d42971&quot;</ETag><Size>51284</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/fonts/ionicons.eot</Key><LastModified>2018-05-03T02:34:24.000Z</LastModified><ETag>&quot;2c2ae068be3b089e0a5b59abb1831550&quot;</ETag><Size>120724</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/fonts/ionicons.svg</Key><LastModified>2018-05-03T02:34:26.000Z</LastModified><ETag>&quot;621bd386841f74e0053cb8e67f8a0604&quot;</ETag><Size>333834</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/fonts/ionicons.ttf</Key><LastModified>2018-05-03T02:34:23.000Z</LastModified><ETag>&quot;24712f6c47821394fba7942fbb52c3b2&quot;</ETag><Size>188508</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/fonts/ionicons.woff</Key><LastModified>2018-05-03T02:34:26.000Z</LastModified><ETag>&quot;05acfdb568b3df49ad31355b19495d4a&quot;</ETag><Size>67904</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/less/_ionicons-font.less</Key><LastModified>2018-05-03T02:34:27.000Z</LastModified><ETag>&quot;bb570d47b5190b9f55ed9302aac05459&quot;</ETag><Size>880</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/less/_ionicons-icons.less</Key><LastModified>2018-05-03T02:34:27.000Z</LastModified><ETag>&quot;9379d6c15ae5bb23c0c0ad5c2901b4b6&quot;</ETag><Size>90037</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/less/_ionicons-variables.less</Key><LastModified>2018-05-03T02:34:27.000Z</LastModified><ETag>&quot;572209c81d7e5a82cc4a995d0cc459bf&quot;</ETag><Size>27680</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/less/ionicons.less</Key><LastModified>2018-05-03T02:34:27.000Z</LastModified><ETag>&quot;5b6120e1e2a45ba544699d1f6658a20a&quot;</ETag><Size>84</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>assets/bower_components/Ionicons/png/512/alert-circled.png</Key><LastModified>2018-05-03T02:39:02.000Z</LastModified><ETag>&quot;c9f9f9e6871298de4a84fd37c0d88f07&quot;</ETag><Size>2551</Size><StorageClass>STANDARD</StorageClass>
Enter fullscreen mode Exit fullscreen mode
  • Attackers can enumerate or download all files in the bucket and potentially find sensitive data or vulnerabilities using tools like s3cmd to list and download all files in a loop.
  • If the bucket policy permits, you can upload malicious files that could harm users or the service. So, just imagine the scenario where attackers may exploit public buckets to store large amounts of data or generate excessive requests, leading to unexpected charges on your AWS bill!

Best Practices for Securing S3 Buckets

To mitigate the risks associated with public S3 buckets, it is essential to follow best practices that ensure the security and privacy of your data:

*I. Set Default Settings to Private *
Ensure that the default settings of your S3 buckets are private. Only grant access to users and services that absolutely need it. Review access settings regularly to ensure no unintended permissions are granted.

*II. Implement Bucket Policies *
Use S3 bucket policies to define who can access your bucket and what actions they can perform. Limit access to specific IAM users, roles, or AWS accounts as necessary.

III. Enable Server Access Logging
Turn on server access logging for your S3 buckets. This feature allows you to log requests made to your bucket, which can help you monitor access patterns and identify unauthorized attempts to access data.

IV. Enable Versioning
Activate versioning on your S3 buckets. This feature allows you to preserve, retrieve, and restore every version of every object stored in the bucket, making it easier to recover from accidental deletions or overwrites.

V. Encrypt Data At Rest
Enable server-side encryption (SSE) for all objects stored in S3. This ensures that your data is encrypted at rest, adding an extra layer of security. You can choose to use Amazon S3-managed keys (SSE-S3), AWS Key Management Service (SSE-KMS), or customer-provided keys (SSE-C).

VI. Encrypt Data In Transit
Always ensure that data transmitted between your application and S3 is encrypted. Use HTTPS to secure data in transit and prevent man-in-the-middle attacks. This guarantees that sensitive data, such as credentials or personally identifiable information (PII), remains protected during transmission.

VII. Use Block Public Access Feature
AWS provides the S3 Block Public Access feature, which helps you quickly identify and prevent public access to S3 buckets. Enable this feature to block all public access at the account or bucket level.

VIII. Track API Calls with CloudTrail
Utilize AWS CloudTrail to track API calls made to S3 buckets, and configure Amazon CloudWatch alarms to notify you of any suspicious activity or unauthorized access attempts.

IX. Implement Lifecycle Policies
Use lifecycle policies to manage the storage of objects in your S3 buckets. These policies can automatically transition objects to less expensive storage classes or delete them after a specified period, helping reduce storage costs and potential exposure of stale data.

X. Combine Access Points with Bucket Policies
Access Points allow for granular permissions tailored to specific applications or teams. For example, you can create separate Access Points for different applications, granting read or write access as needed. Meanwhile, bucket policies enforce broader rules, such as restricting access to certain IP addresses. This layered approach not only minimizes the risk of unauthorized access but also simplifies permission management, allowing for quick adjustments without affecting overall security.

XI. Use Access Points for Data Lakes
Access Points are invaluable when building a data lake in S3, as they enable tailored access for various teams. Each team can have its own Access Point with specific permissions, ensuring they access only the data they need. For instance, X team might have broad read access, Y team has restricted access to sensitive data. This segmentation enhances governance and compliance with regulations, providing clear oversight of who accesses what data. Additionally, Access Points can optimize performance by directing requests more efficiently, leading to faster data retrieval and processing.

Top comments (0)