Let's have a quick overview of the type of permissions an S3 bucket can have and how they can be used to make one public.įor a complete and detailed explanation, we highly recommend reading the official AWS documentation. Tweet This The S3 Bucket Permission Model "We wanted to cover all the possible ways that a user, malicious or not, could use to create a public S3 bucket. We send all logs to it and we’ve designed the CloudTrail logs coming from every AWS account to be collected in a centralized S3 bucket that is “drained” by the Sumo Logic collector and organized in the source category named cloudtrail_aws_logs. " Data exfiltration, also called data extrusion, is the unauthorized transfer of data from a computer." (TechTarget)Īs a Security Information and Event Management (SIEM) solution we’re working with Sumo Logic. We wanted to cover all the possible ways that a user, malicious or not, could use to create a public S3 bucket: by mistake, for data exfiltration, or for command and control (yes, you can use it even for that, my dear pentester friends). We’ve also tested policy changes, both access control lists (ACLs) and individual permissions. We’ve tested the creation of buckets in two ways: via the AWS command line interface ( aws CLI) and the web console. This blog post will guide you through our process, our findings, and our solutions.īitdefender compiled a list of the 10 worst Amazon S3 breaches.īefore getting into the technical details, let’s have an overview of the context in which those tests were running, which technologies were involved, and how we linked them all together.
S3 BUCKETS HOW TO
In that regard, the first source for your AWS events is CloudTrail.ĭigging around the Internet we didn't find enough resources that explained to us the different ways an S3 bucket can be made public and how to detect it in raw CloudTrail logs, so we started playing around, running tests and building queries to find that out.
They are almost all standalone scripts or lambda functions that query the AWS APIs via some sort of SDK (Python, Node.js, etc.).īut when centralized security is implemented, as we have done so at Auth0, this task can be performed using a data lake or any sort of system/service where logs are aggregated, analysed, and acted upon. There are several tools out there to help your company with finding public S3 buckets.
They have been (and still are) causing havoc all over the web. Unwanted public S3 buckets are a continuous threat.
0 kommentar(er)
