Amazon Web Services (AWS) has made its Permissions Check feature freely available to help customers prevent an S3 bucket breach.
On 20 February, Amazon made the announcement in a news update:
AWS Trusted Advisor now helps all customers better secure their data by providing the S3 Bucket Permissions check for free! Previously available only to Business and Enterprise support customers, this check identifies S3 buckets that are publicly accessible due to ACLs or policies that allow read/write access for any user.
Permissions Check examines ACLs and policies (not ACL objects) to determine if an S3 bucket provides public read or write access. It then labels the permissions of each bucket as Public, Not public* (ACL objects could be publicly accessible), Access denied, Error, or Undetermined. Customers can also gain more specific insight in the Search for buckets drop-down list by choosing Buckets with public read access, Buckets with public write access, and Buckets with any type of public access (read or write).
The statement made by AWS Trusted Advisor goes on to note that Business and Enterprise support customers can use Permissions Check to enable automated actions by integrating with CloudWatch Events.
To learn more about AWS Trusted Advisor’s Permissions Check feature, click here.
List buckets view with Public button highlighted at the top. (Source: AWS Documentation)
AWS Trusted Advisor’s decision to make its Permission Checks feature follows on the heels of several high-profile S3 bucket breaches in 2017 including incidents at Booz Allen Hamilton, the Pentagon, and Verizon. In the wake of those events, security researchers have taken it upon themselves to leave “friendly warnings” on AWS S3 accounts with exposed data or incorrect permissions. But that’s no substitute for working to prevent another AWS S3 storage breach.
Here are some recommendations on how you can keep your AWS S3 bucket data private.