A Complete List of AWS S3 Misconfigurations
Amazon S3 or Amazon Simple Storage Service, is an AWS service where data and objects are stored. It is the most popular public cloud service that offers data availability, security, and performance. Both small and large businesses use this service. Unfortunately, AWS S3 bucket misconfigurations are one of the most common causes of data breaches for organizations. As simple as it is to create S3 buckets, the easier it is to make mistakes that can lead to security threats and end up exposing all your data to the internet.
Here is the complete list of AWS S3 misconfigurations for you to avoid and how you can correct them.
List of AWS S3 Misconfigurations
Access Logging Disabled
Not ensuring S3 bucket access logging is enabled on the CloudTrail S3 bucket or not will be the most common misconfiguration in AWS S3. Correcting this misconfiguration will help you comply with compliance standards like CIS, SOC2, PCI, HIPAA, APRA, MAS, GDPR, and NIST.
S3 Buckets Allowing Public Access
The second misconfiguration to avoid is making the S3 bucket publicly accessible. Having an S3 bucket publicly accessible is a significant security lapse. Furthermore, getting rid of this misconfiguration will make you CIS, SOC2, and GDPR compliant.
S3 Bucket Default Encryption
Your S3 buckets should have default encryption (SSE) enabled, or use a bucket policy to enforce it as it can improve your security standards. If default encryption is not enabled, it can cause serious security lapses, including SLA breaches. Having default encryption enabled also helps you satisfy the PCI, HIPAA, GDPR, MAS, NIST, and APRA compliances.
S3 Bucket Versioning Disabled
A very common misconfiguration is not enabling object versioning. Your AWS S3 buckets should have the versioning flag enabled to preserve and recover overwritten and deleted S3 objects as an extra layer of data protection and/or data retention.
S3 Buckets Not Having A Secure Transport Policy
AWS S3 buckets should enforce data encryption over the network (as it travels to and from Amazon S3) using the Secure Sockets Layer (SSL). In other words, your S3 buckets should not allow non-HTTPS connections. Compliance standards that need you to eliminate this misconfiguration are PCI, SOC2, APRA, MAS, HIPAA, and NIST.
S3 Bucket Allowing Public Writes
AWS S3 Misconfigurations can be avoided by checking if S3 buckets have policies that allow public WRITE access. AWS S3 buckets should not be publicly accessible for WRITE actions via S3 access control lists (ACLs) to protect your S3 data from unauthorized users. Allowing public write access on S3 buckets violates PCI, APRA, MAS, and NIST compliance standards.
S3 Bucket Authenticated Users WRITE Access
Allowing WRITE access to AWS authenticated users is a very common misconfiguration. Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs.
DNS Compliant S3 Bucket Names
To avoid any misconfiguration and improve operational maturity, ensure that your AWS S3 buckets use DNS-compliant bucket names. S3 buckets should use DNS-compliant bucket names to adhere to AWS best practices and benefit from the new S3 features such as S3 Transfer Acceleration, benefit from operational improvements, and receive support for virtual-host style access buckets.
S3 Buckets MFA Delete Disabled
AWS S3 misconfiguration buckets should use Multi-Factor Authentication (MFA) Delete feature to prevent the deletion of any versioned S3 objects (files). This helps you comply with PCI, GDPR, APRA, MAS, and NIST compliance standards.
S3 Buckets Public Access via Policy
S3 bucket policies should not allow all actions for all principals. AWS S3 buckets should not be publicly accessible via bucket policies to protect against unauthorized access. Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.
S3 Buckets Not Encrypted with Customer-Provided CMKs
AWS S3 Misconfigurations can be avoided by ensuring that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs. AWS S3 buckets should be configured to use Server-Side Encryption with customer-managed CMKs instead of S3-Managed Keys (SSE-S3) to obtain fine-grained control over the Amazon S3 data-at-rest encryption and decryption process. This helps you comply with GDPR, APRA, and NIST compliances.
S3 Buckets Lifecycle Configuration
Your Amazon S3 buckets should have lifecycle configuration enabled for security and cost optimization purposes.
S3 Buckets with website configuration disabled
S3 buckets with website configuration enabled should be regularly reviewed. By regularly reviewing these S3 buckets, you ensure that only the desired buckets are accessible from the website endpoint.
S3 Object Lock Disabled
AWS S3 buckets should use Object Lock for data protection and/or regulatory compliance and prevent the objects they store from being deleted.
S3 Transfer Acceleration
Not using the transfer acceleration feature is a misconfiguration. S3 buckets should be using the Transfer Acceleration feature to increase the speed (up to 500 percent) of data transfers in and out of Amazon S3 using the AWS edge network.
S3 Bucket Public FULL CONTROL Access
Ensuring that your AWS S3 buckets are not publicly exposed to the Internet can protect you from security lapses and SLA breaches. IAM policies should not allow broad list actions on S3 buckets.
S3 Bucket Authenticated Users FULL CONTROL Access
IAM policies should not allow broad list actions on S3 buckets. Additionally, ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs.
S3 Bucket Public READ Access
Allowing public READ access to AWS S3 buckets is a misconfiguration as it allows unauthorized access. Therefore, ensure your AWS S3 buckets do not allow public READ access. This helps you comply with PCI, GDPR, APRA, MAS, and NIST compliances.
S3 Bucket Authenticated Users READ Access
S3 buckets should not allow READ access to AWS authenticated users through ACLs n order to protect your S3 data against unauthorized access. This helps you comply with APRA, MAS, and NIST compliances.
S3 Bucket Public READ ACP Access
AWS S3 buckets should not allow public READ_ACP access. Granting public “READ_ACP” access to your S3 buckets can allow everyone on the Internet to see who controls your objects. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing techniques to help them gain access to your S3 data.
S3 Bucket Authenticated Users READ ACP Access
AWS S3 buckets should not allow READ_ACP access to AWS authenticated users using ACLs to protect against unauthorized access. This helps you comply with PCI, APRA, MAS, and NIST compliances.
S3 Bucket Public WRITE_ACP Access
Another very common misconfiguration is allowing public WRITE_ACP access. Therefore, AWS S3 buckets should not allow public WRITE_ACP access. Granting public “WRITE_ACP” access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions.
S3 Bucket Authenticated Users WRITE_ACP Access
AWS S3 buckets should not allow WRITE_ACP access to AWS authenticated users using ACLs. Granting authenticated “WRITE_ACP” access to your AWS S3 buckets can allow other AWS accounts or IAM users to edit ACL permissions to view, upload, modify and delete S3 objects within the buckets without restrictions.
Server-Side Encryption
Your AWS S3 buckets should enforce Server-Side Encryption (SSE) to protect sensitive data. This is an important aspect of the following compliance standards – PCI, SOC2, HIPAA, GDPR, APRA, MAS, and NIST.
Conclusion
AWS provides many practices, and to ensure proper access and authentication, they should be implemented. The simpler it is to create S3 buckets, the easier it is to make mistakes that can lead to security threats and expose all your data to the internet. Following these simple steps can protect your company from any AWS S3 misconfigurations.
Cloudanix provides a recipe for best practices for S3 that helps audit your AWS account for these misconfigurations and more! We also help you remediate these misconfigurations in an automated way! What’s more? You can sign up for a free trial today!