One of the biggest challenges we see with cloud security is that people are unpredictable and prone to, well, being human. So we often see security incidents happen that are simply errors made by well-intending employees. While they mean well, these errors can (and do) inadvertently put their organization at risk.
One of the most common errors that’s been popping up in the news and which we’ve started to see here at Expel is when users accidentally make Amazon S3 buckets public.
What’s Amazon S3, why do these breaches happen and how can you protect your own org from making this mistake? We’re laying out all the details for you below.
What is Amazon S3?
Why do Amazon S3 buckets regularly end up open?
How to find S3 buckets of a target application?
The S3 bucket name is not a secret, and there are many ways to figure it out. I will try to share all possible way to find the bucket of the target application.Method # 1:
There are many online tools are available on internet to find S3 buckets of a website. Some of them are listed below.
- Lazy S3
- Bucket_finder
- AWS Cred Scanner
- Mass3
- S3Scanner
- S3BucketFinder
Mostly all tools are command-line tools. You can download them from GitHub.
Method # 2:
Look at the server details from wappalyzer (Browser Extension) or via the response of any request for the target application. You can find whether the application is using Amazon S3 to store data or not.
Method # 3:
Right-click on the application and open “View page source”. Find the URL like
- xyz.s3.amazonaws.com/
- s3.amazonaws.com/xyz
- xyz.s3.eu-west-1.amazonaws.com
- s3.eu-west-1.amazonaws.com/xyz
Note: XYZ represents the bucket name and eu-west-1 is the region. The region can be varied.
Method # 4:
Use the BURP Suite and spider the target web application. BURP Spider plugin is one my favourite plugin it 100% extract the Amazon bucket of the target application.
These are some basic techniques to find the application using Amazon S3 or not.
How to exploit misconfigured Amazon buckets with AWSCLI?
How to list the objects of a misconfigured Amazon S3 Bucket?
To Listing all objects and folders in a bucket enter the following command.
aws s3 ls s3://bucket-name
How to upload an object to a misconfigured Amazon bucket?
aws s3 cp file.txt s3://bucket-name
aws s3 mv file.txt s3://bucket-name
How to download an object from a misconfigured Amazon bucket?
aws s3 cp s3://bucket-name/file-name ./
aws s3 mv s3://bucket-name/file-name ./
How to delete an object from a misconfigured Amazon bucket?
aws s3 rm s3://bucket-name/file-name
What can happen?
Since so many companies store sensitive data in S3 buckets, any leak could be devastating. You might remember the Million Dollar Instagram Bug that allowed security researcher Wes Wineberg to access every single image and account on Instagram. This was only possible because he had gained access to Instagram’s S3 bucket, where the company stored everything from source code to images.
How to fix it?
There are quite a few recommended actions in order to protect your sensitive information in your S3 buckets, in order to minimize your risk of exposed data either from account breaches or losses.Restricting Access
Keep track of who has been granted access to S3 buckets and objects, and the level of privileges that have been granted. Although access to S3 buckets is private by default, write access to everyone automatically grants delete access to S3 objects. Therefore, access to S3 buckets should be restricted to a small number of trusted individuals. Similarly, granting read access to everyone allows all users to read the data saved in S3 buckets. It is important to know that you can use access control lists for granular permissions and enable multi-factor authentication before an object is deleted.
Audits and Monitoring
Internal transfers and new hires are common in any team. Regular audits should be performed to ensure that rights have been modified according to the role of the individual. Additionally, logging should be enabled for S3 buckets so that actions performed can be referenced in case of an issue.
Data Backup
Initiate a backup of your critical S3 buckets so that data can be restored from the backup copy in case of unexpected modifications or breaches. N2WS offers a free version of CPM that helps with backup, recovery, and disaster recovery of Amazon EC2 instances.