For Day 11, here was the following prompt:
Privacy settings of S3 buckets - see whether your files are public versus private! If they are public, make sure they are privatized. Can you think of any risks here if your information was public? How do we make your S3 bucket private?
To check whether the files in my S3 bucket are public or private, I navigated to my bucket, opened my bucket and clicked on the name of the file to see its details. The only way I could view my object was selecting “Open” to view my object in another tab.
However, I couldn’t access my object using the Object URL shown below because I disabled public access to my bucket.
When I clicked the Object URL, I am led to this message:
This error confirmed that my file is private!
Amazon provides a number of security features to consider when creating a S3 bucket. As shown in my previous post, some of these security features are provided by default.
Disabling ACLs is a default option that ensures that the bucket owner automatically owns and fully controls all objects in the bucket.
Block all public access is the default option that protects files from being accessible to the public.
Bucket versioning allows multiple versions of a file to be stored in a bucket for recovery purposes.
Object lock protects files from being overwritten or deleted.
According to the AWS documentation, there are several more ways to ensure that an S3 bucket remains private. Here are just some of the best practices for securing an S3 bucket:
Implementing least privilege access
Amazon recommends granting only the permissions that are required for a task. The tools available to implement least privilege access are:
S3 Actions
Bucket Policies and User Policies
ACL (Access Control Lists) overview
Service Control Policies
Use IAM roles for applications and AWS services that require S3 access
- IAM stands for Identity and Access Management and is basically a security system for AWS accounts. An IAM role is an identity that is created in an AWS account with specific permissions. Amazon recommends using IAM roles to manage temporary credentials for applications or services.
S3 Cross-Region Replication
- This feature allows the copying of objects across buckets in different AWS regions.
Enforce encryption of data in transit
- This allows for the use of HTTPS to assist in preventing eavesdropping on or manipulating network traffic.
There are many risks involved by having an S3 bucket exposed for all the world to see. Poorly managed and misconfigured buckets can result in data breaches, uploading of malicious files, removal of files and the integrity of files being compromised. In addition, it can cost a company million of dollars.
Over the past few years, there have been stories of data breaches and malicious attacks due to S3 buckets being poorly managed and not configured properly.
In 2022, McGraw Hill’s mismanaged S3 buckets compromised the data of over 100,000 students.
Earlier the same year, a mismanaged S3 bucket resulted in sensitive airport data being exposed.
Also in the same year, a former AWS engineer was convicted after stealing customer data from an unsecured S3 bucket. This breach affected 30 institutions including Capital One, costing the company over $270 million dollars.
In July 2023, it was reported that cyber criminals used expired S3 buckets to place malware into a package in the npm repository.
As you can see, it is imperative that security be top of mind when creating S3 buckets. There are serious consequences for not securing data properly.
I have to admit I was a bit overwhelmed seeing the all of the precautions Amazon has put in place to protect S3 buckets. I learned a lot about security doing this challenge. I’ll again explore more of S3 in a future challenge.