S3 Bucket Insecure Read Access

This plugin prevents outside users from having read access to S3 buckets.

Risk Level: High

Description:

This plugin prevents outside users from having read access to S3 buckets. An outsider will be able to list S3 objects and read S3 ACL if this vulnerability is exploited. Even if bucket objects are designed to be publicly accessible, it is advisable to disable these rights. In order to avoid false positives, this plugin parses the Block Public Access configuration for each bucket and account.

About the Service :

Amazon S3 is an object storage service with industry-leading scalability, data availability, security, and performance. Amazon S3 allows customers of all sizes and sectors to store and safeguard any amount of data for a variety of use cases, including data lakes, websites, mobile applications, backup and restore, archive, business applications, IoT devices, and big data analytics.

Impact:

To prevent unauthorized access, make sure your AWS S3 buckets' content isn't publicly listed. An anonymous user can list the objects in an S3 bucket that has READ (LIST) access granted to everyone. Malicious users can utilize the information gathered during the listing process to locate objects with improperly configured ACL permissions and get access to them.

 

Steps to reproduce :

  1. Sign in to the AWS Management Console.
  2. Navigate to the S3 dashboard at: https://console.aws.amazon.com/s3/
  3. Select the S3 bucket you want to examine and click on the Properties tab.
  4.  Check the Access Control List (ACL) configuration for any grantee called "Everyone" in the Properties panel's Permissions tab.
  5. The selected S3 bucket is publicly accessible for content listing and is evaluated as insecure if the bucket ACL configuration includes the "Everyone" preset group with the List (READ) permission enabled.
  6. Repeat steps no. 3 - 5 for each S3 bucket that you want to examine, available in your AWS account.

Steps for remediation :

Disable Objects and Bucket ACL READ permissions for both: 'Everyone' and 'Authenticated users group'. It is recommended to disable these permissions even if bucket objects are supposed to be publicly accessible.

  1. Sign in to the AWS Management Console.
  2. Navigate to the S3 dashboard at: https://console.aws.amazon.com/s3/
  3. Select the S3 bucket you want to examine and click on the Properties tab.
  4.  Check the Access Control List (ACL) configuration for any grantee called "Everyone" in the Properties panel's Permissions tab.
  5. Uncheck the List (READ) permission applied to "Everyone".
  6. Click Save to apply the new ACL configuration and remove the bucket public READ (LIST) access.
  7. Repeat steps no. 3 – 6 for each publicly “READ” accessible S3 bucket available in your AWS account.




References: