New security feature to prevent Amazon S3 bucket misconfiguration and data leaks

Hardly a week goes by that we don’t hear about an organization leaving sensitive data exposed on the Internet because they failed to properly configure their Amazon S3 buckets.

Amazon Web Services, to their credit, are trying to prevent this from happening.

For one, all newly created S3 buckets and objects (files and directories in the bucket) are by default private, i.e. not publicly accesible by random people via the Internet. Secondly, changes implemented earlier this year made it possible for customers to easily identify S3 buckets that are publicly accessible due to Access Control Lists (ACLs) or policies that allow read/write access for any user:

prevent Amazon S3 bucket misconfiguration

But even that’s not enough, so the company is rolling out a new security feature: Amazon S3 Block Public Access.

About Amazon S3 Block Public Access

This new feature allows account owners/administrators to centrally block existing public access (whether made possible via an ACL or a policy) and to make sure that newly created items aren’t inadvertently granted public access.

The feature allows four new options:

prevent Amazon S3 bucket misconfiguration

They allow account users to protect against future attempts to use ACLs to make buckets or objects public, to override current or future public access settings for current and future objects in the bucket, to disallow the use of new public bucket policies, and to limit access to publicly accessible buckets to the bucket owner and to AWS services.

The options can be configured to affect the entire account or selected buckets. Options set at the bucket level cannot override account-level settings.

“If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure,” AWS Chief Evangelist Jeff Barr explained.

The feature can be accessed from the S3 Console, the command-line interface, the S3 APIs, and from within CloudFormation templates.

Don't miss