kevinhakanson.com

Finding Publicly Exposed Amazon S3 Buckets

July 19, 2017 #aws #devops #security #s3

You may have read recent news about millions of Verizon customers having their data exposed (see Experts Warn Too Often AWS S3 Buckets Are Misconfigured, Leak Data).

Possibly, people are confused about what the Authenticated Users group means. From Access Control List (ACL) Overview - Amazon Simple Storage Service:

Represented by http://acs.amazonaws.com/groups/global/AuthenticatedUsers.
This group represents all AWS accounts. Access permission to this group allows any AWS account to access the resource. However, all requests must be signed (authenticated).

This doesn’t just mean IAM Users from their account, but any user from any AWS account.

How do we check this on our accounts?  There are a couple of options.

Use a Cloud Custodian S3 filter  with a policy.yml like:

policies:
- name: s3-global
  resource: s3
  description: Publicly Exposed S3 Buckets
  filters:
    - type: global-grants

Then run the custodian tool and use jq to filter the output, I find a bucket (names changed to protect the innocent).

$ custodian run --output-dir=. policy.yml --region=us-west-2

$ jq '.[].Name' s3-global/resources.json
"project1-test-bucket1"

Amazon also has a utility called Trusted Advisor that can report on several items, including Amazon S3 Bucket Permissions.  That has both a Console UI and is callable via API or CLI (via describe-trusted-advisor-check-result):

$ aws support describe-trusted-advisor-check-result \
--check-id Pfx0RwqBli \
--query 'result.flaggedResources[*].metadata[2]'
[
    "project1-portal-ui",
    "project1-test-bucket1",
]

However, that list has 2 items vs. the 1 which Cloud Custodian found using its global-grants filter.  It appears that Cloud Custodian is filtering out buckets set up for website hosting (see Hosting a Static Website on Amazon S3), which seems like a valid result.

S3 Static website hosting