Open in app

Sign in

Write

Sign in

Mis-Configured S3

Gupta Bless
4 min readJun 7, 2020

Amazon S3 Bucket

INDEX

Introduction

Operations on s3

Mis-configured S3 Bucket

Checking Access Control:

Authentication mechanisms:

Introduction:

What is S3 :Amazon Simple Storage Service (Amazon S3) is an object storage service that offers data availability, security, and performance for any size of companies or customers . Upon creation, only the resource owners have access to Amazon S3 resources they create.

· It is used to store and protect data of any amount with a simple web view and variety of use cases such as websites, mobile applications, restore and archive for enterprises application.

Storage classes: For different use cases Amazon have different range of classes.

· S3 STANDARD: For general purpose storage of frequently accessed data.

· S3 STANDARD_IA: For long lived, but less frequently accessed data.

· S3 Glacier: For long-term archive.

Benefits:

· Industry-leading performance, scalability, availability, and durability with simplicity and robustness.

· Wide range of cost effective storage classes.

· Unmatched security, compliance and audit capabilities.

· Easily manage data and access controls.

· Query-in-place services for analytics

· Most supported cloud storage service.

· Amazon S3 charges you only for what you actually use.

· Amazon Api provides both REST and SOAP interface.

How to create S3: / Operations on S3

Creating buckets: Buckets are the fundamental containers in Amazon S3 for data storage.Create a bucket and give a unique name to bucket. Every object is contained in a bucket.They play role in access control.

e.g.: If object name is “test.jpg” and is stored in “example bucket” in “US west region” , the it is addressable using the below URL.

https://examplebucket.s3.us-west-2.amazonaws.com/test.jpg

Note:

· The permissions attached to a bucket apply to all of the objects in that bucket or policies can either add or deny permissions across all (or a subset) of objects within a bucket.

· Only the bucket owner is allowed to associate a policy with a bucket.

Storing data: We can store infinite amount of data in bucket. Upload as many objects as you like into an Amazon S3 bucket. Each object can contain up to 5 TB of data. Each object is stored and retrieved using a unique developer-assigned key.

Downloading data:Download your data or enable others to do so based on permissions. Download your data anytime you like, or allow others to do the same.

Permissions:Grant or deny access to others who want to upload or download data into your Amazon S3 bucket. Grant upload and download permissions to three types of users. Authentication mechanisms can help keep data secure from unauthorized access.

Mis-configuation on S3 Bucket: By default S3 bucket is secure.A misconfigured S3 bucket is a bucket with excessive permissions granted to users. For instance, a bucket containing confidential data with bucket permissions set to public access would be considered misconfigured. These excessive permissions enable an attacker to read private content or upload malicious content to the buckets.

Steps

· S3 bucket name is not a secret, and there are many ways to figure it out.

· If buckets are not properly configured attacker can access or modify information.Buckets can be misconfigured in different ways such as operations such as Read access, Write access, Readable ACL, Writable ACL.

· Testing Bucket Security/Access Controls

Checking Access Control:AWS security configurations range from ingress/egress firewalls and IAM (identity and access management) controls to advanced logging and monitoring capabilities. However, mis-configurations in these systems and application can allow an attacker to pivot into your cloud and exfiltrate both internal and customer data.

So here we are trying to check bucket permissions by different ways whether you are owner or not.

As an Owner: Checking ACL permission of bucket.Some of are mentioned below

By CLI: We can use CLI snippet mentioned below, to check permission of bucket.

aws s3api get-bucket-acl — bucket <bucket name>

From above screenshot we came to know bucket has both public write and read permissions (WRITE_ACP and READ_ACP).

Anonymous User:Unwanted public S3 buckets are a continuous threat. They have been (and still are) causing havoc all over the web.

By Browser:By putting bucket name in below mentioned snippet we can check the list of buckets.

<bucket_name>.s3.amazonaws.com

By CLI:We can use CLI snippet mentioned below, to check permission of bucket.

aws s3 ls s3://<bucket_name>

e.g.In below example we can check listing of buckets.

Authentication mechanisms: AWS security has the potential to be very strong, but poor configurations have led to more than one serious security breach.

A malicious actor can discover open S3 buckets with excessive permissions (public access) and read confidential data from these buckets.Unless it’s a business requirement that anyone on the internet should be able to read or write to the S3 buckets, you should ensure that your S3 buckets are not public.

● Use Amazon S3 “Block Public Access”. This is a centralized control to block public access to Amazon S3 resources.

● Review and do not allow any wild card identity such as principal (*) in bucket policy, if any .

● Review IAM, bucket policy and bucket ACLs and implement least privilege access. Only users that need access to buckets should be granted access.

Owasp
Hacking
Information Security
S3
Bug Bounty

--

--

Gupta Bless

Written by Gupta Bless

1.2K Followers

Security enthusiast working to secure web for others.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams