One of probably the most commonly referred to services in breaches / data leaks is Amazon AWS’s storage service S3. Why? Because it is easy to misconfigure it. We even mentioned it as one of the most common misconfigurations in a previous blog post here.
AWS S3 Buckets can store all sorts of data, anything really, from binaries to random cat pictures or your employees’ home addresses and other personal information.
Very often those S3 Buckets and the data within should not be publicly available, but at the same time, very often S3 is also used for its simplicity when it comes to sharing files with other people or organisations at which point locking S3 Buckets down can become quite the undertaking, especially for people that are not too familiar with the service. Even those of us that are familiar with it still regularly struggle to get this right and then we often end up with misconfigured / publicly available AWS S3 Buckets.
Finding all the public S3 Buckets could be so simple, but unfortunately it is not super straight forward.
Yes, we can log into an AWS Account and browse to https://s3.console.aws.amazon.com/s3/home and check if some Bucket is stating “Public” under “Access”, and then log into the next AWS Account, and the next, and the next… depending on how many AWS Accounts an organisation manages, by the time one has checked all the Accounts one should start back from the front and check again, because things in the cloud rarely not change.
Alternatively, the following command line can also be used:
aws s3api list-buckets --query 'Buckets[*].Name'
For each Bucket that gets returned the following command needs to be executed:
aws s3api get-bucket-acl --bucket
The output will show the access policy for the Bucket and if it looks anything like this, then it is likely a publicly accessible Bucket:
Problem is, just because the Bucket Policy says that a Bucket can be public that does not mean it is. There are at least two other mechanisms to block public access to AWS S3 Buckets.
The so-called “Block Public Access” settings at the AWS Account level and also at the Bucket level. More information can be found here.
If either of those settings block public access then it does not matter what the S3 Bucket Access Policy thinks it should do, allowing public access will not be one of it.
Instead of doing this manually, why not use a service like ARGOS that does this automatically for you?
Identification and optional remediation of this issue is already covered by ARGOS.
If you have not signed up to ARGOS yet then why not spend a few minutes (seriously, minutes!) and sign up to our free trial and see if you have any publicly available AWS S3 Buckets in your AWS cloud.
Sign up at https://app.argos-security.io