Amazon Web Services (AWS) Simple Storage Service, more commonly known as AWS S3 bucket, is officailly15 years old. In that time it has become one of the leading object storage services that let your organization store, access, and retrieve data anywhere on the Internet using a simple web-based interface. It’s a favorite for developers because this resource lets them perform a variety of functions — like adding metadata to objects, moving and storing data across object storage classes, and running big data analytics, to name just a few. An incredibly powerful service, S3 is backed by AWS’s fast and scalable storage infrastructure. Yet despite its skyrocketing popularity, the service remains a lightning rod for breaches due to widespread security misconfiguration, misunderstood s3 permissions, and unknown s3 bucket policy.
Gartner stated, “through 2022, at least 95 percent of cloud security failures will be the customer’s fault.” In a high-profile example, Expedia’s hotel reservation software provider exposed millions of hotel guest records in a breach because they were storing sensitive guest data in an unsecured S3 bucket. The misconfigured AWS bucket reportedly did not require any authentication to access. As an incredibly powerful service, the AWS S3 bucket remains a lightning rod for data breaches due to widespread security misconfigurations.
Believe it or not, this is a common mistake that countless organizations are currently making — most just don’t know it yet. Oftentimes, administrators assume that S3 is inherently secure simply because it runs on AWS. While AWS is known for providing top-of-the-line cloud security, there are a number of steps you need to take to prevent breaches from occurring.
Tips To Secure Your S3 Buckets
Block Public Access to S3
By default, all new buckets, objects, and access points are not set up for public access. Yet, users can modify policies and S3 permissions to allow public access — meaning sensitive data could potentially be accessed by any user via a URL. Unless you explicitly require anyone on the internet to be able to read or write to your S3 bucket, you should ensure that all buckets are not public. There are a few actions you should take today to ensure your S3 service is secure.
To block public access use the S3 Block Public Access settings to override S3 permissions and prevent accidental or intentional public exposure. These settings let administrators centralize account controls for maximum protection and regardless of how the resources are created.
Identify Bucket Policies that Allow Wildcard IDs
Next, you should identify S3 bucket policies that allow a wildcard identity, such as Principal “*” or allows a wildcard action “*” that effectively allows the user to perform any action in S3.
According to AWS, this may include one or more of the following:
- A set of Classless Inter-Domain Routings (CIDRs) using aws:SourceIp
- An AWS User, Principal, or Service Principal
- aws:userid, outside the pattern “AROLEID:*”
Amazon provides instructions on how to make policies non-public. For an overview, check out this article. Similarly, take note of AWS S3 bucket ACL (access control lists) that provide read, write, or full-access to “Everyone” or “Any authenticated AWS user.” To be considered non-public, a bucket policy must grant access to fixed values — or values that do not have a wildcard.
Inspect Implementations with Tools
It’s a good idea to use AWS Trusted Advisor to inspect S3 implementations in order to make sure you cover all your bases. Trusted Advisor is an online tool that offers real-time guidance and support when provisioning resources on AWS. This service can increase security, optimize your infrastructure, and reduce operating costs, among other benefits. However, Trusted Advisor only goes so far and as organizations mature, more advanced tools will likely be required.
Sonrai Dig can also help to remediate your AWS S3 implementation and enforce your controls as well as ongoing monitoring of your identity and data risks.
Enable Multi-factor Authentication (MFA) Delete
Another way to enhance security is to make a bucket’s versioning configuration MFA Delete-enabled.
When a bucket is MFA Delete-enabled, a bucket owner must include the ‘x-amz-mfa’ request header in requests to permanently delete an object version or change the bucket’s versioning state.
In addition, requests that include ‘x-amz-mfa’ are required to include HTTPS. A header’s value contains an authentication device’s serial number, authentication code, and a space. Failure to include this information in the request header will result in a failed request.
All data should be encrypted while in transit (i.e., traveling to and from S3) and while it’s in rest and stored on disks in S3 data centers. You can easily protect data in S3 using client-side encryption or using Secure Socket Layer/Transport Layer Security (SSL/TLS).
Use S3 Object Lock
S3 Object Lock is a service that lets you store objects using a write-once read-many (WORM) model. By using an Object Lock, you can prevent an object from being overwritten or deleted for a fixed time period or indefinitely.
Versioning can help protect your data from user actions and application failure. When bucket versioning is enabled, AWS can store all objects when receiving multiple write requests for the same object simultaneously.
Use Multi-Region Application
AWS now offers Multi-Region Application Architecture that enables users to create fault-tolerant applications with failover to backup regions. This service uses S3 Cross-Region replication and Amazon DynamoDB Global Tables to asynchronously replicate application data across a primary and secondary AWS region.
Enforce Least Privilege Access
You can also prevent unauthorized access to S3 by enforcing least privilege access and granting permissions to identities only when specific tasks need to be performed.
AWS offers several tools for implementing least privilege access including IAM user policies and Permissions Boundaries for IAM Entities, Amazon S3 bucket policies, Amazon S3 bucket ACL (access control lists), and Service Control Policies.
In addition, it’s a good idea to keep a running tab over all the human and non-person identities that have access to your S3. This can be easily achieved using Sonrai Dig.
Where to Start in Securing S3 buckets?
Identify and audit all your AWS S3 buckets
Identification of your Cloud assets is a crucial aspect of governance and security. You need to have visibility of all your Amazon S3 resources to assess their security posture and take action on potential areas of weakness.
Amazon provides the Tag Editor to help identify security-sensitive or audit-sensitive resources. You can then use those tags when you need to search for these resources.
You can consider using the AWS S3 inventory to audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs. Or you can create resource groups for your Amazon S3 resources. For more information, see What Is AWS Resource Groups?
Implement monitoring using monitoring tools
Monitoring is an important part of maintaining the reliability, security, availability, and performance of AWS services. AWS provides several tools and services to help you monitor Amazon S3 and your other AWS services. For example, you can monitor CloudWatch metrics for Amazon S3, particularly PutRequests, GetRequests, 4xxErrors, and DeleteRequests.
Enable Amazon S3 server access logging
Server access logging provides detailed records of the requests that are made to a bucket. Server access logs can assist you in security and access audits, and help you learn about your customer base.
Use AWS CloudTrail
AWS CloudTrail provides a record of actions taken by an Identity (human or non-human), such as User, a Role, or an AWS service, in an S3 bucket. You can use information collected by CloudTrail to determine the request that was made to Amazon S3, the IP address from which the request was made, who made the request, when it was made, and additional details. For example, you can identify CloudTrail entries for Put actions that impact access, in particular PutBucketAcl, PutObjectAcl, PutBucketPolicy, and PutBucketWebsite. When you set up your AWS account, CloudTrail is enabled by default. You can view recent events in the CloudTrail console. To create an ongoing record of activity and events for your Amazon S3 buckets, you can create a trail in the CloudTrail console.
When you create a trail, you can configure CloudTrail to log data events. Data events are records of resource operations performed on or within a resource. In Amazon S3, data events record object-level API activity for individual buckets. CloudTrail supports a subset of Amazon S3 object-level API operations such as GetObject, DeleteObject, and PutObject. In the Amazon S3 console, you can also configure your S3 buckets to enable object-level logging for CloudTrail.
AWS Config provides a managed rule (cloudtrail-s3-dataevents-enabled) that you can use to confirm that at least one CloudTrail trail is logging data events for your S3 buckets.
Enable AWS Config
Several of the best practices listed above suggest creating AWS Config rules. AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config monitors resource configurations, allowing you to evaluate the recorded configurations against the desired secure configurations. Using AWS Config, you can review changes in configurations and relationships between AWS resources, investigate detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This can help you simplify compliance auditing, security analysis, change management, and operational troubleshooting.
Sonrai Security Tracks Data Access Within AWS
The Sonrai Dig service delivers a complete risk model of all identity (person and non-person) and data relationships, activity, and movement across cloud accounts, cloud providers, and third-party storage. Built from the ground up to address fundamental cloud data security and compliance concerns, the solution delivers the following risk control workflow:
- Discover: Automatically, visualize and map Identity and Data across your clouds
- Classify: Leverage machine learning to determine data type, importance, and risk
- Audit: Continuously map s3 permissions, configuration, and access
- Protect: Use behavioral controls to detect and prevent theft
Implementing controls around what has access to data is fundamental to any security and compliance program. Although each unique cloud provider delivers services and APIs to manage identity and access to data for their stack, they are not standardized across all the stacks available (e.g., Amazon, Google, and Microsoft), do not address third-party data stores, and often require use of low-level tools and APIs. Sonrai Dig resolves this problem through normalized views and control of cloud identity and data access, like your AWS S3 buckets.
AWS S3 is by far one of the most used AWS services available on the market because it is an easily-accessible, inexpensive service for storage. AWS S3 is also a platform capable of serving important use cases, providing infrastructure solutions for many company technology needs.
But this widespread usage has led to some problems — mainly, negligently unprotected AWS S3 buckets. Without protection, information stored in an open Amazon S3 bucket can be browsed by scripts and other tools. Since the information in the bucket may be sensitive, this poses a critical security risk.
Follow the above recommendations, read our AWS security checklist, and reach out should you need help with governing your AWS S3 buckets or s3 permissions.