Example Code to List all S3 buckets, in the default region config, that have URI Grant access to ..global/AllUsers permissions listed in the ACL.
NOTE: These are code examples created back in 2018. They should be tested before use. I'm open to accepting PRs to improve them. This repository was created with minimalist examples that can work as a place to start.
There are multiple news articles that continue to come out about "leaky AWS S3" (AWS S3 server leaks data from Fortune 100 companies: Ford, Netflix, TD Bank) or "leaving a server unsecured" and S3 configurations "without a password" (A Washington ISP exposed the 'keys to the kingdom' after leaving a server unsecured).
Apple (which had a URI Grant access to ..global/AllUsers as my example code looks for), along with many other companies, have messed up with this before.
What do these articles above have in common? This is lingo for AWS S3 buckets configured to have Public access! At least do a basic audit of your S3 buckets and ensure you aren't doing the same, unless it's being done for a purpose because it means free downloads over here!
Let's say we have a bucket, and it has a Public access ACL granted to it.
Running one of my examples, the shell script (which is wrapped around AWSCLI):
./s3nakedinpublic.sh
This example script will output any buckets with Public (specifically, global/AllUsers) in the ACL.
./s3nakedinpublic.sh
uhohthisisbad
In this case, uhohthisisbad
is an S3 bucket that it found. What does that look like from the AWS console? For one, you can sort by "Public" buckets:
The dead giveaway is the "Public" icon:
Within the ACL permissions of the bucket, we would see something like this:
How do you fix this? AWS has made this as easy as possible. Here it can be changed on the bucket itself:
You can also do this with less running around, and in bulk:
You can also do this account wide, but you'd have to be absolutely certain that this won't be breaking functionality where this has been done intentionally for serving files for download or other purposes:
Now the big "Public" label is no longer on our bucket:
And the ACL would now look something like this:
There should be some kind of monitoring implemented in an account in order to alert in the event that a bucket has modifications where itself or contents gain public access, or if new buckets are made with public permissions.
Some resources to look at:
- A robust-looking tool for S3 inspection that looks beyond the simple ACL lookup s3nakedinpublic examples use, which may be the best place to look next (though it hasn't been updated in over a year, keep in mind): https://github.com/kromtech/s3-inspector
- A repo hosting a report of AWS S3 "leaks" that have happened over time: https://github.com/nagwww/s3-leaks
- Rapid7 Blog Article from 2013: There's a Hole in 1,951 Amazon S3 Buckets (You can be certain the number is much higher now...)
- Some good articles by AWS themselves about securing S3: How can I secure the files in my Amazon S3 bucket? and Using Amazon S3 Block Public Access