Amazon Web Services (AWS) has announced that all customers can now freely check whether their S3 buckets are leaking stored data.
“Previously available only to Business and Enterprise support customers, [the S3 bucket permissions check] identifies S3 buckets that are publicly accessible due to ACLs or policies that allow read/write access for any user,” the cloud computing giant noted.
The check is available through AWS Trusted Advisor, an online tool that helps users inspect their AWS environment and improve system performance and reliability, optimize costs, and close security gaps.
About the S3 bucket permissions check
The S3 bucket permissions check is one of the seven core security checks available to all customers for free. It checks bucket policies and bucket access control lists (ACLs) to identify publicly accessible buckets.
“There are two ways that S3 buckets can be made publicly accessible: through bucket policies and ACLs,” the company explains.
“Bucket permissions check does not check object ACLs, which can allow everyone in the world or any authenticated AWS user to access the object and its permissions. An object can also be publicly accessible through the object’s ACLs. When an object is publicly accessible through the READ ACL, it allows access to the contents of the object. With READ_ACP and WRITE_ACP ACLs, grantees can also read and modify the object ACLs respectively.
“Bucket permissions check makes it easier to identify S3 buckets that provide public read and write access. You can also view whether the source for the public access is a bucket policy, a bucket ACL, or both. If you change a bucket policy or a bucket ACL, the Amazon S3 console analyzes them in real time and alerts you if those changes enable public read and write access on the bucket.”
The check labels each listed bucket as:
- Public – Publicly accessible by either everyone in the world or by any authenticated AWS user.
- Not public – The bucket is not publicly accessible but objects in it might be due to object ACLs.
- Access denied – Customer is locked out of the bucket.
- Error – Means that a service-related error occurred.
- Undetermined – Amazon S3 can’t determine whether the bucket is publicly accessible.
The list can be organized so the customer can easily see more specific access information, i.e., which bucket has Read and/or Write access permissions, and to see the “source” of that access (an ACL or a Bucket policy, or both).
Cloud storage instances that can be accessed by anyone who stumbles upon them are a big problem: hardly a day goes by without news about some company or other inadvertently leaving sensitive data accessible to unauthorized users.
As flagged by the BBC, some security researchers have begun leaving “friendly warnings” to AWS S3 users whose private content has been made public.
But not all users will be lucky enough to get a warning and act on it. Malicious actors looking for unsecured data storage and information that can be of use to them will go in and out without the user noticing anything. So it’s definitely welcome news that Amazon is finally offering this check to all users.