A Complete List of AWS S3 Misconfigurations

A Complete List of AWS S3 Misconfigurations

Amazon S3 or Amazon Simple Storage Service is an AWS service where data and objects are stored. It is the most popular public cloud service that offers data availability, security, and performance. Both small and large businesses use this service. Unfortunately, AWS S3 bucket misconfigurations are one of the most common causes of data breaches for organizations. As simple as it is to create S3 buckets, the easier it is to make mistakes that can lead to security threats and end up exposing all your data to the internet.

Here is the complete list of AWS S3 misconfigurations for you to avoid and how you can correct them.

List of AWS S3 Misconfigurations

Access Logging Disabled

Not ensuring S3 bucket access logging is enabled on the CloudTrail S3 bucket or not will be the most common misconfiguration in AWS S3. Correcting this misconfiguration will help you comply with compliance standards like CIS, SOC2, PCI, HIPAA, APRA, MAS, GDPR, and NIST.

S3 Buckets Allowing Public Access

The second misconfiguration to avoid is making the S3 bucket publicly accessible. Having an S3 bucket publicly accessible is a significant security lapse. Furthermore, getting rid of this misconfiguration will make you CIS, SOC2, and GDPR compliant.

S3 Bucket Default Encryption

Your S3 buckets should have default encryption (SSE) enabled, or use a bucket policy to enforce it as it can improve your security standards. If default encryption is not enabled, it can cause serious security lapses, including SLA breaches. Having default encryption enabled also helps you satisfy the PCI, HIPAA, GDPR, MAS, NIST, and APRA compliances.

S3 Bucket Versioning Disabled

A very common misconfiguration is not enabling object versioning. Your AWS S3 buckets should have the versioning flag enabled to preserve and recover overwritten and deleted S3 objects as an extra layer of data protection and/or data retention.

S3 Buckets Not Having A Secure Transport Policy

AWS S3 buckets should enforce data encryption over the network (as it travels to and from Amazon S3) using the Secure Sockets Layer (SSL). In other words, your S3 buckets should not allow non-HTTPS connections. Compliance standards that need you to eliminate this misconfiguration are PCI, SOC2, APRA, MAS, HIPAA, and NIST.

S3 Bucket Allowing Public Writes

AWS S3 Misconfigurations can be avoided by checking if S3 buckets have policies that allow public WRITE access. AWS S3 buckets should not be publicly accessible for WRITE actions via S3 access control lists (ACLs) to protect your S3 data from unauthorized users. Allowing public write access on S3 buckets violates PCI, APRA, MAS, and NIST compliance standards.

S3 Bucket Authenticated Users WRITE Access

Allowing WRITE access to AWS authenticated users is a very common misconfiguration. Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs.

DNS Compliant S3 Bucket Names

To avoid any misconfiguration and improve operational maturity, ensure that your AWS S3 buckets use DNS-compliant bucket names. S3 buckets should use DNS-compliant bucket names to adhere to AWS best practices and benefit from the new S3 features such as S3 Transfer Acceleration, benefit from operational improvements, and receive support for virtual-host style access buckets.

S3 Buckets MFA Delete Disabled

AWS S3 misconfiguration buckets should use Multi-Factor Authentication (MFA) Delete feature to prevent the deletion of any versioned S3 objects (files). This helps you comply with PCI, GDPR, APRA, MAS, and NIST compliance standards.

S3 Buckets Public Access via Policy

S3 bucket policies should not allow all actions for all principals. AWS S3 buckets should not be publicly accessible via bucket policies to protect against unauthorized access. Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.

S3 Buckets Not Encrypted with Customer-Provided CMKs

AWS S3 Misconfigurations can be avoided by ensuring that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs. AWS S3 buckets should be configured to use Server-Side Encryption with customer-managed CMKs instead of S3-Managed Keys (SSE-S3) to obtain fine-grained control over the Amazon S3 data-at-rest encryption and decryption process. This helps you comply with GDPR, APRA, and NIST compliances.

S3 Buckets Lifecycle Configuration

Your Amazon S3 buckets should have lifecycle configuration enabled for security and cost optimization purposes.

S3 Buckets with website configuration disabled

S3 buckets with website configuration enabled should be regularly reviewed. By regularly reviewing these S3 buckets, you ensure that only the desired buckets are accessible from the website endpoint.

S3 Object Lock Disabled

AWS S3 buckets should use Object Lock for data protection and/or regulatory compliance and prevent the objects they store from being deleted.

S3 Transfer Acceleration

Not using the transfer acceleration feature is a misconfiguration. S3 buckets should be using the Transfer Acceleration feature to increase the speed (up to 500%) of data transfers in and out of Amazon S3 using the AWS edge network.

S3 Bucket Public FULL CONTROL Access

Ensuring that your AWS S3 buckets are not publicly exposed to the Internet can protect you from security lapses and SLA breaches. IAM policies should not allow broad list actions on S3 buckets.

S3 Bucket Authenticated Users FULL CONTROL Access

IAM policies should not allow broad list actions on S3 buckets. Additionally, ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs.

S3 Bucket Public READ Access

Allowing public READ access to AWS S3 buckets is a misconfiguration as it allows unauthorized access. Therefore, ensure your AWS S3 buckets do not allow public READ access. This helps you comply with PCI, GDPR, APRA, MAS, and NIST compliances.

S3 Bucket Authenticated Users READ Access

S3 buckets should not allow READ access to AWS authenticated users through ACLs n order to protect your S3 data against unauthorized access. This helps you comply with APRA, MAS, and NIST compliances.

S3 Bucket Public READ ACP Access

AWS S3 buckets should not allow public READ_ACP access. Granting public “READ_ACP” access to your S3 buckets can allow everyone on the Internet to see who controls your objects. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing techniques to help them gain access to your S3 data.

S3 Bucket Authenticated Users READ ACP Access

AWS S3 buckets should not allow READ_ACP access to AWS authenticated users using ACLs to protect against unauthorized access. This helps you comply with PCI, APRA, MAS, and NIST compliances.

S3 Bucket Public WRITE_ACP Access

Another very common misconfiguration is allowing public WRITE_ACP access. Therefore, AWS S3 buckets should not allow public WRITE_ACP access. Granting public “WRITE_ACP” access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions.

S3 Bucket Authenticated Users WRITE_ACP Access

AWS S3 buckets should not allow WRITE_ACP access to AWS authenticated users using ACLs. Granting authenticated “WRITE_ACP” access to your AWS S3 buckets can allow other AWS accounts or IAM users to edit ACL permissions to view, upload, modify and delete S3 objects within the buckets without restrictions.

Server-Side Encryption

Your AWS S3 buckets should enforce Server-Side Encryption (SSE) to protect sensitive data. This is an important aspect of the following compliance standards – PCI, SOC2, HIPAA, GDPR, APRA, MAS, and NIST.

Conclusion

AWS provides many practices, and to ensure proper access and authentication, they should be implemented. The simpler it is to create S3 buckets, the easier it is to make mistakes that can lead to security threats and expose all your data to the internet. By following these simple steps, you can protect your company from any AWS S3 misconfigurations.

Cloudanix provides you with a recipe for best practices for S3 that helps audit your AWS account for these misconfigurations and more! We also help you remediate these misconfigurations in an automated way! What’s more? You can sign up for a free trial today!

Know more about AWS Misconfigurations

Subscribe to Cloudanix Blog

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe