Amazon Simple Storage Service (S3) provides the ability to store, retrieve, access, and backup any amount of data.
S3 storage can be used for a variety of use-cases and applications; from data lakes and big data analytics, to web apps, enterprise applications, and data archiving. S3 is object-based storage, which means that everything is stored as objects within buckets.
Each object has three main components: the object’s content, the object’s unique identifier, and the object’s metadata (including its name, size, and URL). An object cannot be independent; it must exist within a bucket. There can be hundreds of buckets within an Amazon account and hundreds of objects within a bucket.
S3 buckets are designed to store mission-critical sensitive data. However, AWS S3 bucket misconfigurations can put you at risk of a data breach, so applying the recommended security configuration policies is critical.
It’s easy to create S3 buckets, but it’s even easier to make mistakes that can potentially expose your infrastructure to security threats. One such mistake is allowing public READ access to an S3 bucket.
Even though by default an S3 bucket is always created as “private,” misconfigurations and human error can sometimes expose them to the public internet. On AWS, you can use Identity and Access Management (IAM) policies, bucket policies, and access control lists (ACLs) to define access policies for your buckets. Misconfigurations in any of these three policies can lead to an S3 bucket being exposed to the public. Moreover, sometimes, inexperienced engineers/administrators may allow public READ access while integrating with a trusted third party.
An S3 bucket that allows public READ (LIST) access can be exploited by a malicious actor to list the objects within the bucket. They can use this information to identify objects with ACL misconfigurations and then access those objects.
Unauthorized access to said objects can lead to data and/or service loss.
Orca detects and prioritizes common and obscure IAM misconfigurations that put your storage buckets at risk. Orca looks for “S3 Buckets that Allow Public READ Access” and will alert on this type of issue as shown in the screenshot above.
There have been numerous cyberattacks in the recent past, where the root cause was an S3 bucket misconfiguration. Here are a few examples:
Give people the bare minimum level of access privileges that they need to do their job.
Ensure that your S3 buckets are encrypted by default.
From your AWS console, enable the “block public access” option for all the buckets and accounts that you don’t want to publicly expose.
Have a dedicated team monitor and audit your S3 resources for any discrepancies or potential misconfigurations.
MFA (multi-factor authentication) delete requires the user to provide a secondary authentication factor, before deleting an S3 bucket object.
Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP － without the gaps in coverage, alert fatigue, and operational costs of agents.