There have been a number of high-profile customer or corporate data breaches in the last year. Several of them have been attributed to mis-configured AWS S3 buckets, c.f. the FedEx breach, the Verizon breach, or the Experian breach. In this article I’ll show you how to detect public S3 buckets in your AWS account so you can prevent an embarrassing and costly data breach.
S3 is Secure by Default
AWS S3 buckets are not public unless you make them public. If you choose to make your S3 bucket public, Amazon makes this clear when you create your bucket:
If you are browsing your list of S3 buckets, Amazon adds a “public” tag to any publicly available S3 bucket so you can tell at a glance if it’s public.
Trusted Advisor Check
If you have too many buckets to scan in the S3 console, you can use AWS Trusted Advisor to see a security dashboard of public S3 buckets. AWS Trusted Advisor is not as well-known as it should be. It provides many best-practices checks with recommendations on improving security, fault-tolerance, cost optimization, and performance. Although the full list of Trusted Advisor checks is only available if you have premium support, AWS recently made the S3 Public Bucket check free.
Here’s an example of the Trusted Advisor S3 bucket check.
I recommend you run Trusted Advisor in your AWS accounts as soon as possible. You’ll definitely find things to improve upon in your account and you may even find an open S3 bucket that shouldn’t be open. You can even set up a weekly notification email with up-to-date Trusted Advisor recommendations or configure CloudWatch to trigger a Slack notification.
AWS Config Rules for S3 Buckets
AWS Config continuously monitors and records changes to AWS resources, like EC2 instances, S3 buckets, etc. AWS Config evaluates your AWS resources against built-in or custom rules to mark resources as “non-compliant” or automatically remediate mis-configured S3 buckets or other AWS resources.
AWS provides two built-in AWS Config Rules for monitoring and reporting on publicly accessible S3 buckets.
You can set up these rules to automatically notify you if anyone creates a publicly-accessible S3 bucket and mark these buckets as “non-compliant” in the AWS Config dashboard.
Here’s an example of the AWS S3 Config rule dashboard showing a “non-compliant” S3 bucket.
Want to deploy these rules via a CloudFormation template? The AWS Config Developer Guide has a preconfigured CloudFormation template to create the s3-bucket-public-read-prohibited rule for you.
Amazon S3 is an incredibly useful and foundational service in AWS. Although S3 buckets have always been secure by default, in light of recent major data breaches AWS has made it easier to see which S3 buckets have been set to “public” read or write access. In this article, I showed you three ways to check which (if any) of your S3 buckets are public: via the S3 console, a free Trusted Advisor check, and via AWS Config rules.
You can use one or all of these together to ensure you never have an embarassing and costly data breach.
If you have additional questions about S3 (or anything AWS-related), email me at doug@1Strategy.com. I’d be happy to chat with you about how 1Strategy can help your business with your journey into or through the AWS cloud.
Don’t be a Data Leak, by Alex Graves
Building Better IAM Policies, by Jameson Ricks