Avoid the Headlines with AWS S3 Bucket Fitness Reports

Neighborhood crime is great for sales of home security systems. You feel sorry for the sucker down the street who had his new 96″ plasma screen ripped off, but you’re not about to let some filthy thief near your sweet Pinarello touring bike. So, naturally, you take precautions to prevent an attack on your own property. You get the cameras, the sensors, the signage, and if a thief comes snooping around, he’ll likely decide your house is too much effort.

Why don’t cloud users operate the same way? AWS customers keep having their S3 buckets hacked, but the number of instances only seems to increase. In 2017 alone there have been more than a dozen significant attacks or discovered vulnerabilities on the AWS storage repositories of major global brands. Just Equifax alone stands to lose billions in market cap, fines, and lawsuits all because of a misconfigured S3 bucket. But it’s strangely alarming that in the midst of these cautionary tales, organizations aren’t doing more to prevent it within their own walls. Organizations keep making headlines and getting black eyes for not configuring their buckets correctly; it’s usually considered a job that takes about five minutes to set up, but when ignored or done improperly can lead to disaster and create weeks worth of work for you and the rest of your organization.

In fairness to IT admins, setting up a server, a database, an S3 bucket, or any resource within your cloud is not a one-and-done proposition. Cloud environments are dynamic and as different resources are introduced, user rights are created/revoked, and other elements change, all these resources in your cloud infrastructure are subject to drift away from the best practices and original settings. Just as any IT architecture needs some level of constant oversight, AWS storage buckets require that their configuration and access rights are properly managed to ensure they are secure.

The Evident Security Platform (ESP®) operates according to a continuous framework. It is always monitoring the different elements of your cloud security posture and then automatically delivering alerts so you can implement rapid remediation to fix potential vulnerabilities. The idea is to provide deep and broad awareness of risks across the entirety of your cloud environments. To help AWS users ensure they are giving the right level of attention to the specific issues related to S3 bucket security, we offer a feature in ESP called AWS S3 Bucket Fitness Report, which provides a continuous view of the state of your S3 bucket security.

The AWS S3 Bucket Fitness Reports provide reporting and automated detection of some common issues we find with the management of S3 buckets. While we can’t know for sure if any of these was responsible for the Equifax,, or any other breach, it’s likely that poor application (or lack of application) of best practices contributed to these issues. Some of these include:

Be smart about bucket access
AWS is flexible in managing Access Control Lists (ACLs), and they make them very easy to set up. That’s a benefit and a potential problem. Far too often, ACLs are set to provide access to “All AWS Users”, and this is a huge mistake. With global ACL permissions on, access will likely be granted to some who shouldn’t be anywhere near your stored content. It’s a way “in”, and for the wrong person, could provide a treasure map for valuable, sensitive data. ESP will provide awareness of what those permissions are set to and when they change from your preferred defaults.

Secure your bucket objects
Here again, one of the benefits of AWS is its flexibility. Among its configurations is the ability to easily allow global access to the objects in your S3 buckets with GET permissions. The problem with that is, with Global GET enabled, even unauthenticated users can retrieve the data from a S3 bucket if they can guess your namespace. That’s a problem waiting to happen, but ESP alerts to changes in GET permissions.

Don’t let your data evaporate
If your cloud environment has been compromised AND you have Global DELETE permissions enabled, it’s easy for a hacker to completely wipe out all your data. To prevent that, you must take steps to ensure that only authorized users have permission to delete your buckets to prevent malicious or accidental deletions. Demanding that users access with Multi Factor Authentication (MFA) in order to delete a bucket is an additional layer of protection.

A great first step is to try ESP for two weeks. Doing that will obviously give you experience with the product, but I hope you’ll also be able to see what is required to take the necessary steps to be both aware and secure when it comes to your S3 buckets.