[BreachExchange] New security feature to prevent Amazon S3 bucket misconfiguration and data leaks

Fri Nov 23 09:59:18 EST 2018

https://www.helpnetsecurity.com/2018/11/19/prevent-amazon-s3-bucket-misconfiguration/

Hardly a week goes by that we don’t hear about an organization leaving
sensitive data exposed on the Internet because they failed to properly
configure their Amazon S3 buckets
<https://www.helpnetsecurity.com/?s=AWS+bucket+exposed>.

Amazon Web Services, to their credit, are trying to prevent this from
happening.

For one, all newly created S3 buckets and objects (files and directories in
the bucket) are by default private, i.e. not publicly accesible by random
people via the Internet. Secondly, changes implemented earlier this year
made it possible for customers to easily identify S3 buckets that are
publicly accessible
<https://www.helpnetsecurity.com/2018/02/21/aws-s3-bucket-permissions-check/>
due
to Access Control Lists (ACLs) or policies that allow read/write access for
any user:

[image: prevent Amazon S3 bucket misconfiguration]
<https://www.helpnetsecurity.com/images/posts2018/aws-s3-buckets-public.jpg>

But even that’s not enough, so the company is rolling out a new security
feature: Amazon S3 Block Public Access.
About Amazon S3 Block Public Access

This new feature allows account owners/administrators to centrally block
existing public access (whether made possible via an ACL or a policy) and
to make sure that newly created items aren’t inadvertently granted public
access.

The feature allows four new options:

[image: prevent Amazon S3 bucket misconfiguration]
<https://www.helpnetsecurity.com/images/posts2018/Block%20Public%20Access%20settings.jpg>

They allow account users to protect against future attempts to use ACLs to
make buckets or objects public, to override current or future public access
settings for current and future objects in the bucket, to disallow the use
of new public bucket policies, and to limit access to publicly accessible
buckets to the bucket owner and to AWS services.

The options can be configured to affect the entire account or selected
buckets. Options set at the bucket level cannot override account-level
settings.

“If an AWS account is used to host a data lake or another business
application, blocking public access will serve as an account-level guard
against accidental public exposure,” AWS Chief Evangelist Jeff Barr
explained
<https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/>
.

The feature can be accessed from the S3 Console, the command-line
interface, the S3 APIs, and from within CloudFormation templates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181123/2e0369a6/attachment.html>