Getting the Amazon S3 Misconfiguration Right
The Amazon’s much-touted web service AWS Simple Storage Service (S3) is popular among companies and enterprises that don’t want to build their own storage repository. AWS S3 lets organizations store objects and files on a virtual server instead of on physical racks. Well, it’s more like Google Drive for big organizations. The setup is quite simple, all the users have to do is create a bucket and begin storing their source code, certificates, passwords, content, databases and much more.
While AWS promise safely stored data and secure up-and downloads, the security community has for a long time pointed out severe misconfigurations. If you are vulnerable, attackers could get full access to your S3 bucket, allowing them to download, upload and overwrite files.
The S3 bucket name is not an unknown entity and there are different ways to uncover it. As soon as the name is revealed to the attacker, she/he can manipulate multiple misconfigurations and use them to read or modify information which could result in three different scenarios. Through the AWS Command Line, the attacker can talk to Amazon’s API and get access to the list and read files from S3 bucket, write/upload files to S3 bucket, or change access rights to all the objects and control content of the files.
What’s crucial here is: all this can be done without alerting the company that is hosting the S3 bucket. Interestingly, Amazon is quite aware of the security loophole, but they’re not likely to fix it as the problem is due to the user’s misconfiguration.
How to fix it?
By default, all the resources of Amazon S3 are set to private, which means only the resource owner can access and modify the resource. The resource owner is the AWS account that creates the resource. You should be careful when granting permissions to other users for access or modification of files. Some users may only have read permission whereas some users may have both -- read and write permissions. When defining your bucket policies, you must keep your users need in mind. In addition, you can use sophisticated tools available in the market to scan the AWS S3 and fix any misconfiguration that may have been present.