Top 16 AWS S3 Misconfigurations To Avoid in 2023
Amazon S3 (Amazon Simple Storage Service) is an object storage service. It is the most popular public cloud service that offers data availability, security, and performance. It is used by both small and large businesses. To automatically monitor all your AWS resources for any security issues and potential exposure, AWS S3 is a great way to do it. You can use many online tools to find S3 buckets on a website.
Here are a few AWS S3 Misconfigurations that you can avoid in 2023.
Access Logging Enabled
The first thing in AWS S3 Misconfigurations is not having S3 bucket access logging enabled on the CloudTrail S3 bucket. It is crucial to check S3 bucket access logging is enabled on the CloudTrail S3 bucket. Furthermore, taking care of these s3 misconfigurations helps you comply with the following compliance standards – CIS, SOC2, PCI, HIPAA, APRA, MAS, GDPR, and NIST.
S3 Buckets Public Access Block
To avoid any S3 misconfigurations, ensure that your S3 bucket used to store CloudTrail logs is not publicly accessible. Monitoring the use of information system accounts will provide better security.
S3 Bucket Default Encryption
This S3 Misconfiguration Ensure that your S3 buckets have default encryption (SSE) enabled, or they are using a bucket policy to enforce it. Having this configuration can improve your security standards. This is also one step closer to being PCI, HIPAA, GDPR, MAS, NIST, and APRA compliant.
S3 HTTPS Only
Another S3 misconfiguration is if your S3 buckets do not have a secure transport policy. Having S3 buckets with a secure transport policy can help you achieve PCI, SOC2, APRA, MAS, HIPAA, and NIST compliance.
S3 Does Not Allow Public Writes
S3 Misconfigurations can be avoided by checking if S3 buckets have policies that allow public WRITE access. Having S3 buckets with policies that allow public WRITE access violates the PCI, APRA, MAS, and NIST compliance standards.
S3 Bucket Authenticated Users WRITE Access
Building on the above S3 misconfiguration, another very common misconfiguration is allowing WRITE access to AWS authenticated users. You must ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs.
S3 Bucket Public Access Via Policy
S3 bucket policies should not allow all actions for all principals. Ensure that your S3 buckets do not allow public access via bucket policies. This helps you comply with PCI, CBP, GDPR, APRA, MAS, and NIST compliance standards.
S3 Bucket Public FULL CONTROL Access
IAM policies should not allow broad list actions on S3 buckets. By ensuring that your AWS S3 buckets are not publicly exposed to the internet, you can protect yourself from misconfigurations. Compliance standards that require you to get rid of such a misconfiguration are PCI, CBP, APRA, MAS, and NIST.
S3 Bucket Authenticated Users FULL CONTROL Access
IAM policies should not allow broad list actions on S3 buckets. Ensure that your S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs. Compliance standards that require you to get rid of such a misconfiguration are PCI, CBP, APRA, MAS, and NIST.
S3 Bucket Public READ Access
Allowing public READ access to AWS S3 buckets is a misconfiguration. Make sure that your S3 buckets do not allow public READ access. PCI, GDPR, APRA, MAS, and NIST require you to not have such a misconfiguration.
S3 Bucket Authenticated Users READ Access
Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs. PCI, Compliance standards required for this are APRA, MAS, NIST.
S3 Bucket Public READ ACP Access
By ensuring your S3 buckets do not allow public READ_ACP access, you can protect your organization from any security misconfiguration. Furthermore, you can be PCI, APRA, MAS, and NIST compliant by getting rid of this misconfiguration.
S3 Bucket Authenticated Users READ ACP Access
Similar to the above S3 misconfigurations, ensure S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs.
S3 Bucket Public WRITE_ACP Access
Another very common misconfiguration is allowing public WRITE_ACP access. You should ensure that AWS S3 buckets do not allow public WRITE_ACP access. That way, you can be PCI, APRA, MAS, and NIST compliant.
S3 Bucket Authenticated Users WRITE_ACP Access
Similarly, ensure that your AWS S3 buckets do not allow WRITE_ACP access to AWS authenticated users using ACLs.
Server-Side Encryption
Ensure that your AWS S3 buckets enforce Server-Side Encryption (SSE). This will help you achieve PCI, SOC2, HIPAA, GDPR, APRA, MAS, and NIST compliance.
Conclusion
AWS provides many practices, and to ensure proper access and authentication, they should be implemented. The simpler it is to create S3 misconfigurations buckets, the easier it is to make mistakes that can lead to security threats and end up in the exposure of all your data to the internet. By following these simple steps, you can protect your company from any misconfigurations.
Cloudanix provides a recipe for best practices for S3 that helps audit your AWS account for these misconfigurations and more! We also help you remediate these misconfigurations in an automated way! What’s more? You can sign up for a free trial today!