Amazon S3 buckets are the backbone storage solution for AWS. S3 buckets allow users to store, access, retrieve, and back up any amount of data at any given time. It is an object-based storage service, meaning that it keeps all data as objects. Since all data must be stored in S3 buckets, S3 bucket security should be top of mind to secure an organization’s sensitive data.
A small error in S3 configurations can lead to devastating data exposures and a giant loophole for attackers. Therefore, in this article, we’ll touch upon the most common Amazon S3 bucket misconfigurations, along with the risks they pose and how much of the security responsibility lies on your side.
What does your security responsibility include, according to AWS?
Like many other clouds and SaaS services, AWS relies on a shared responsibility model for security. While Amazon keeps up security as the highest priority, there are certain precautions expected on the user side. Some of them include:
- Data management, including object ownership. Amazon encrypts S3 stored data by default; enforce encryption of data in transit.
- Access management to your data (using IAM roles and other service configurations). Amazon is a JumpCloud partner, making it possible to provision users and leverage zero trust security controls through JumpCloud’s open directory platform.
- Classifying assets
- Using AWS CloudTrail or Amazon GuardDuty for S3 or other detective controls such as AWS Config
Amazon S3 Misconfiguration Risks
Misconfigurations are a minefield for security, and it is evident in recent cases of breaches.
- An Amazon S3 bucket owned by a logistics company was left accessible without proper authorization controls. This breach exposed sensitive data related to the company’s shipments and its clients, consisting of some Fortune 500 organizations. (Report)
- An S3 bucket that contained around 1.5 million files was leaked due to misconfiguration. The leaked files comprised airline employee PII, national ID numbers, and other sensitive data. (Report)
As you can see, Amazon S3 bucket misconfiguration is the common denominator in these cases and many others. Although Amazon made S3 buckets private by default, data exposure is still a threat that should be taken seriously. Actions like tampering or unintended configurations could strike a heavy blow on your security posture.
- Data loss
- Data exposure
- Compliance violations
- Security breach
- Financial loss
5 Common Amazon S3 Bucket Misconfigurations
1. S3 Buckets with Public Read and Write Access via ACLs
Allowing public read access is a risk that can lead to unauthorized access to your Amazon S3 buckets. Disabling public read access also contributes to your compliance efforts with many acknowledged frameworks such as NIST, PCI, GDPR, and MAS. Back then, before IAM and bucket policies, ACLs were used to share buckets that caused many exposures. Although they are still not recommended, technical debt is always there. Ideally, access control for your data should be based on policies such as AWS Identity and Access Management (IAM).
2. S3 Buckets Public Access via Policy
While users can change the accessibility and privacy of their S3 buckets in the bucket policy, the recommended best practice is disabling public read access. Publicly accessible S3 buckets mean that they are accessible to other AWS users and consequently, so is your data stored in them. This may lead to misuse of your data, or in another scenario; users might leave S3 buckets containing sensitive data publicly accessible without even noticing.
You should also Implement least privilege access to limit permissions to your resources using tools such as Amazon S3 policy actions and Permissions Boundaries for IAM Entities. Applications that require access to S3 should be assigned with IAM roles for applications and not use credentials.
3. S3 Buckets without Server-Side Encryption
Amazon S3 buckets should enforce SSE (server-side encryption) to keep sensitive data secure. Once you set up proper access controls, it might seem highly unlikely that someone would access AWS data centers or drives to access raw data; it never hurts to be prepared. You can use Amazon S3-managed keys (SSE-S3) for ease of use to make sure you are compliant with many frameworks. It’s free of charge.
You can take it one step further and use AWS KMS keys stored in AWS Key Management Service (AWS KMS) and set a policy on how that KMS key is used that reflects and enforce your internal company policies. However, this might be costly if your bucket has enormous write or read activity. This is one of the make-or-break aspects of major compliance standards, including SOC2, GDPR, HIPAA, PCI, NIST, APRA, and MAS.
4. S3 Bucket Access Logging Disabled
Not checking that an S3 bucket access logging is enabled on the CloudTrail S3 bucket is one of the most common misconfigurations in AWS S3. Amazon S3 is integrated with CloudTrail, which records actions taken by a user, role, or an Amazon service on your AWS S3. In addition, it also logs a subset of API calls for S3 as events so that you’ll be able to track your event history.
Access logs are essential in all compliance frameworks/standards. And in most cases, you should be collecting them and storing them for varying from a month to a year. Moreover, you can get closer to complying with standards like NIST, HIPAA, SOC2, GDPR, CIS, PCI, and MAS by fixing this misconfiguration.
S3 Versioning Disabled
- S3 can keep versions for you
- Helpful to revert changes
- Be sure to set up a bucket lifecycle policy to delete old versions; otherwise, all your updates would remain and the bill would be high.
- Not really required for all buckets, such as image uploads for a social media application, but where you store some sensitive and critical data.
Use AWS Trusted Advisor to evaluate your Amazon S3 implementation.
As a bonus, you can also consider S3 Object Lock, which prevents deletion, but this is a slightly advanced feature.
Malicious threat actors can easily exploit misconfigurations, unexpected asset changes, creations, and deletions. While this may come as negligible, in the worst-case scenario, unmonitored, leaky S3 buckets expose your data and those of your clients. Data breaches also account for financial losses as well as reputational damage.
AWS provides numerous best practices to ensure proper authentication and access. However, improving cloud security is challenging without knowing all your assets.
Secure Amazon IAM with JumpCloud
JumpCloud SAML SSO gives your users convenient and secure access to AWS with a single set of credentials for a true single sign-on experience and automated user and group management. The JumpCloud AWS IAM Identity Center connector can also automate and centralize user and group management for provisioning, de-provisioning, and updating of AWS users and groups from JumpCloud via the SSO solution.
You can try JumpCloud for free to determine if it’s right for your organization. Our customers tell us that asset management is also important for security and IT operations. JumpCloud is enhancing its platform to unify SaaS, IT security, and asset management.