Securing Buckets with Amazon S3 Block Public Access

Last updated at Tue, 26 Feb 2019 16:50:18 GMT

Amazon Web Services recently introduced a new security enhancement to its cloud storage service: Amazon S3 Block Public Access. Designed to help AWS customers more easily block public access to their storage buckets, it gives AWS administrators powerful new access controls with which they can manage the security of their S3 buckets and objects. In the wake of several AWS data breaches involving S3 bucket security, Amazon hopes that blocking public access will serve as an account-level guard against accidental public exposure.

Here’s what you need to know about the new Amazon S3 Block Public Access feature, along with some best practices for protecting sensitive data that may exist within your S3 buckets.

Amazon S3 Block Public Access enables stronger security by default

Amazon S3 Block Public Access empowers AWS administrators to ensure any newly created buckets are blocked to the public by default, reducing the risk of unintentionally exposing private or sensitive information to the public. With this setting enabled, they can then expose a bucket or object only if they expressly wish to do so. Administrators can now also more easily revoke public access to older buckets at the account level. Prior to this announcement, AWS introduced functionality that made it easier for administrators to see which buckets are marked as publicly accessible so they could adjust access controls as needed.

While Amazon S3 once allowed a bucket owner to make adjustments to a particular bucket’s visibility settings, it is now possible to make those changes at the AWS account level as well. This is an important shift, since buckets and objects tend to quickly proliferate throughout an AWS environment, bringing with them the increased risk of exposure and potential data breaches. This new AWS product enhancement enables stricter access controls by default, which is welcome news for companies seeking greater peace of mind regarding their data security.

Why Amazon S3 access controls matter to your company

Why should businesses care about public access to their S3 buckets and objects?

Each S3 bucket has a unique domain name that points to it in the form of a DNS CNAME derived from the name of bucket itself in the s3.amazonaws.com domain. When communicating with S3, clients use HTTPS and follow the bucket CNAME to another name where the primary S3 HTTPS endpoints exist. Requests to different buckets are differentiated by the name of the bucket, which is included in the URI accessed by S3 clients. As such, it is possible to test for the existence of an S3 bucket and test whether the bucket itself or items within might be public. From there, you can begin kicking the tires and test that bucket’s accessibility, potentially searching for juicy data within it.

Because of this inherent vulnerability and the fact that S3 buckets and objects were not blocked from public view by default until recently, security researchers have discovered full-scale compromises involving S3 buckets and objects as a result. Sensitive information such as proprietary company secrets, source code, configuration files, login credentials, personally identifiable information (PII), credit card data, and Social Security numbers have been compromised, with potentially damaging legal, regulatory, and reputational consequences for the companies involved.

The security challenges related to S3 buckets is not a new topic. Rapid7 wrote about this back in 2013 when these issues first surfaced.

Best practices for protecting your Amazon S3 buckets and objects

Fortunately, AWS customers now have even better tools for protecting their S3 buckets and objects.

Amazon highly recommends that you use Amazon S3 Block Public Access as the default setting for any new buckets and objects you may create. This way, your company can benefit from the enhanced security these enhancements offer by default going forward. Then, you’ll want to turn your attention to the buckets and objects that you have already created, enabling the appropriate access controls on each of them as well—particularly on any S3 bucket that has been designated for internal use only, since there is no need for it to be accessible to the outside world.

Another option for discovering whether any of your buckets have been unintentionally left public is to search for them using public tools such as Gray Hat Warfare and Buck Hacker. As of this writing, these tools are identifying in excess of 49,000 buckets that have been publicly exposed. These tools utilize data made available from Rapid7 Labs’ Project Sonar to identify possible bucket names to test for public exposure. During an analysis of the most recent Sonar FDNS data, we identified over 130,000 DNS CNAMEs of the form s3.amazonaws.com, implying that there are at least that many possible S3 buckets to test. The actual number of S3 buckets is likely to be much higher.

If you find that a bucket of yours has been accidentally exposed, you can then go back into your S3 Administrator dashboard and set it to “Not public.”

Of course, some organizations may have large quantities of objects and buckets to review, in which case this process could quickly become burdensome and time-intensive. Some automation tools may also flip the access control settings of your buckets and objects without your knowledge, making it more difficult still to efficiently determine whether any data may be exposed even after you’ve diligently sought to secure all of your assets. To address these challenges, you may be able to take advantage of automation tools such as Amazon Zelkova or Amazon Macie (which uses Zelkova) to discover, classify, and protect sensitive data on an ongoing basis.

Ensure proper S3 security and enjoy greater peace of mind

Ensuring proper S3 security hasn’t been the most intuitive task until recently. But thanks to the new Amazon S3 Block Public Access enhancements, it is now far easier to make sure that your private data remains shielded from public view, ensuring that it does not end up accidentally exposed. With buckets and objects now protected by default, you can enjoy greater peace of mind regarding your data security. Then, you can return your attention to what matters most: moving your business forward.