Blog

How To Eliminate Leaky S3 Buckets Without Writing A Line Of Code

Jul 13, 2020

By AJ Yawn, CISSP

FedEx . Booz Allen Hamilton . Republican National Committee . Dow Jones & Co . Verizon  Wireless . Time Warner Cable . WalMart .

These eight organizations all have the same thing in common: Leaky S3 buckets that were misconfigured and exposed sensitive customer data. Amazon S3 (or Simple Storage Service) bucket misconfigurations and breaches continue to show up in cybersecurity publications. A disappointing fact considering how newsworthy these breaches have been.

Amazon S3 is an object storage service on Amazon Web Services (AWS) that provides customers with infinitely scalable and durable storage for websites, mobile applications, backup and restore, and many other use cases. This service is one of the original services on AWS and is often the first entry point into the cloud for organizations that are migrating to the cloud.

Why do misconfigurations of S3 buckets keep happening?

I ask myself the same question.

This is another case of “user error” being trotted out as the reason why organizations are breached due to misconfigured settings on an S3 bucket. I agree that a user plays a significant and lead role in these misconfigurations.

I mean, AWS asks you to type in “confirm” before making a bucket public.

Bucket-settingspng

So, yes, a user is to blame here. However, one of the most important roles of a security practitioner is to implement systems and tools to protect the organization systems and data from human mistakes.

Mistakes happen and another round of security awareness training will not guarantee the next administrator won’t make a mistake. There are many ways to automate the security of sensitive S3 buckets, whether through the use of a Cloud Access Security Broker (CASB), cloud security SaaS solution, or native AWS services. The method of how organizations automate the security of S3 buckets is not important, the end state of secure S3 buckets and a reduction of news articles about another S3 bucket breach is all that matters.

Small businesses and startups often look to native services on their cloud service providers to solve complex security issues. These services are often easier to configure and cheaper than third-party solutions. With this in mind, I spent 20 minutes in this (ISC)² Miami Chapter Cybersecurity Lightning Lab to demonstrate how administrators can use native AWS Services to automate the security of S3 buckets.

Specifically, we will walk through how to ensure that your S3 buckets remain private and with default encryption enabled. A public bucket means anyone can access that bucket. Anyone means anyone! Any AWS user can access the bucket from the internet, this misconfiguration is the reason many of those organizations linked above ended up in the news. This video will show you how easy it is to misconfigure but also remediate S3 buckets.

S3 bucket security misconfigurations should be eliminated through the use of automated detection and remediation tools. As cybersecurity professionals, now more than ever, we are expected to defend systems and data with a smaller budget and fewer resources. Automating the detection, response, recovery, and communication of potential security misconfigurations allows your security team to use their limited time on the important security activities that matter.