How to Secure S3 Bucket Misconfigurations in Amazon Cloud

By
Anusthika Jeyashankar
-
0

Storing information and documents on a D and F drive is no longer fashionable, and we now have popular cloud features that allow us to store large GB files for free. Nowadays, we prefer cloud storage as an alternative. We don’t need to spend money on disk drives, memory cards, or other storage devices because Azure provides “Blog storage,” AWS provides “S3 buckets,” and Google provides “Cloud storage buckets”. Organizations do not need on-premise storage. Even though cloud storage offers many benefits, if any one of the storage buckets is compromised, the entire contents will fall into the hands of hackers. Misconfigured S3 buckets are responsible for 16 % of all cloud security breaches. While part of this can be attributed to inexperience or a human mistake, it’s far from the sole issue at hand. Here we are going to see a little brief about AWS S3 buckets.

Amazon S3 Buckets:

  • Amazon S3 provides object (file) storage through a web interface. It’s built to store, protect and retrieve data from “buckets” at any time from anywhere on any device.
  • As AWS describes it, an S3 environment is a flat structure. A user creates a bucket, and the bucket stores objects in the cloud. Organizations of any size in any industry can use this service.

Who uses AWS S3 buckets?

  • A file hosting and data storage service known as an Amazon S3 bucket is popular among financial institutions, health care organizations, and insurance corporations.

Also Read: Threat Hunting Using Powershell and Fileless Malware Attacks

Was indeed our data stored in an S3 Bucket?

  • Yes, of course. We will use the portals daily to upload contracts, insurance claims, signed leases, and tax forms. If this is the case, we’ve interacted with an S3 bucket, and our data is almost certainly stored there.
  • S3 buckets have become a popular target for cybercriminals. Not only does gaining access to S3 buckets give hackers access to vast amounts of data that they can collect and sell on dark web marketplaces, but it also allows them to steal and encrypt critical information that they can keep for ransom.

Misconfigured Amazon S3 Buckets:

  • Amazon S3 buckets are open to the public, and the organization is responsible for configuring access and granting rights to the bucket, as well as the data and files it hosts. Unfortunately, many firms fail to properly configure these rights, which might have devastating impacts.
  • Adversaries can quickly identify open S3 buckers by browsing in web and locating thousands of them, many of which are openly exposing incredibly sensitive data such as login credentials, security keys, and API keys.
  • After gaining access to an organization’s S3 bucket, a hacker may be able to upload a harmful file to the bucket in some cases. When someone interacts with the malicious file, they activate a payload that spreads malware and/or ransomware throughout the network.
  • This is highly dangerous because standard signature-based solutions, such as next-generation antivirus (NGAV) and sandboxing, are unable to scan and identify attacks within S3 buckets, allowing this file-borne malware to readily avoid detection.

Few known breaches in AWS S3 buckets:

There have been multiple data breach reports involving Amazon S3 in particular in the last year. The majority of data breaches were caused by AWS S3 storage misconfiguration. Almost all of the S3 buckets had been set up incorrectly to allow “public” access. Anyone with a link to the S3 server might access, read, or download its content as a result. The following are the most recent data breaches that have occurred as a result of S3 Buckets:

  • In January 2021, the Eye Care Network data breach was discovered, with hackers targeting their Amazon Web Services infrastructure. An unauthorized user accessed and deleted over 3.25 million individual records stored in an AWS S3 bucket.
  • Due to a misconfigured S3 bucket, the SeniorAdvisor.com breach in August 2021 exposed the PIIs of over 3,000,000 senior citizens.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

The Importance of Securing S3 Bucket:

  • Companies have traditionally gone to AWS due to its ease of usage. Even the most sensitive data, however, might find up in the cloud if data governance guidelines are not followed.
  • The majority of previous S3 bucket hacks we’ve observed involved corporations selecting the “all users” option, thereby allowing data to be accessed by anyone. Inexperienced users have a good probability of misconfiguring S3 buckets and altering access control.
  • This update may provide public access to your S3 buckets, leading to unwanted access and data breaches. S3 buckets are prone to be misconfigured, which makes them a significant security risk.

Now let us look at some of the methodologies you can use to improve S3 bucket security:

1-SSL Enforcement:

  • Using SSL to communicate with S3 buckets is an excellent method to keep our data safe. S3 Bucket data can be accessed by HTTP or HTTPS by default, which implies an attacker could theoretically MITM (Man in the Middle) your requests to S3. For example, we may use a bucket policy with an explicit deny condition to prevent requests that do not use HTTPS from being processed. 

2-Using Logging to Improve S3 Bucket Security:

  • Logging is a suggested security great method that can assist teams in meeting compliance standards, detecting illegal data access, and undertaking a data breach investigation.
  • It records all requests made to a bucket, including PUT, GET, and DELETE operations. The security team will be able to spot attempts at malicious behavior within the buckets as a result of this.

3-Using S3 Encryption to Protect Your Data:

  • To protect your data at rest, S3 provides the following two encryption options: Server-Side Encryption & Client-Side Encryption.
  • Encryption can be further divided into subcategories based on key management requirements.
  • You can select an option that meets your preferences based on your security and compliance requirements.
  •  Choose Server-Side Encryption if you don’t mind AWS managing the encryption process. Otherwise, if your data is sensitive and you want to encrypt it yourself, use Client-Side Encryption.

Also Read: Types of SPLUNK Deployments and Configuration

4-S3 Bucket Access Control Management:

Data security can be improved by the use of access control. There are just a few ways to restrict access to S3 buckets and resources. The strategies for constructing a secure S3 system are as follows:

  • Blocking Public Access with Amazon S3: We can override any bucket policies and object permissions specified before by using the Amazon S3 Block Public Access setting. Block public settings can only be used for buckets, AWS accounts, and access points, so take that into consideration.
  • Permissions for IAM Users Can Be Restricted: Quite well access controls are directly enabled by Identity and Access Management (IAM). You can assign users with the least amount of access and resources needed to administer buckets or read/write data by using the principle of least privilege. This eliminates the possibility of human error, which is one of the leading causes of data loss from misconfigured S3 buckets. As a general rule, start with the bare minimum of permissions required and gradually add rights as needed.
  • Using Bucket Policies to Limit S3 Bucket Access: Bucket policies are the same as IAM user policies but it is directly associated with S3 resources. Bucket policies allow you to regulate bucket access with fine-grained permissions while remaining flexible. We can apply bucket policies like allowing access to a specific AWS account or an internal AWS service & allowing access from specific IP addresses or ranges.
  • Assigning Access Policies Using S3 Access Points: S3 Access Points are a novel technique to manage large amounts of data. It’s a feature that improves access control for mixed-use S3 buckets, making bucket policies easier to maintain.
  • Using ACLs to Control Access: One of the most common causes of S3 data leaks is incorrectly configured ACLs. ACLs can be applied to the bucket or the individual objects. Bucket ACLs control access to certain buckets, whereas object ACLs control access to specific objects. Bucket ACLs only enable access to the account owner by default, but it’s incredibly easy to make your buckets publicly available, which is why AWS advises against using them. To enable S3, Amazon also provides canned ACLs, which are a set of preconfigured grants and permissions such as private, public-read, log-delivery-write canned ACL, and so on.

5-Replication Improves S3 Bucket Reliability:

  • Data duplication: This is the most widely utilized approach since it strengthens data security. The AWS Backup service, which supports major AWS services like Amazon EFS, DynamoDB, RDS, EBS, and Storage Gateway, allows you to consolidate and automate backup activities.
  • S3 versioning: We may avoid complicated and time-consuming backup restoration operations by using S3 versioning to retrieve deleted data.
  • Using Same-Region Replication (SRR): If regulatory compliance requires storing data locally or in the same region, then SRR could be a great option. AWS uses an in-built data replication feature to replicate an S3 bucket across storage devices in three physically separated availability zones within a region. This automatically ensures data security and reliability in the event of infrastructure failure or a disaster.
  • Cross-Region Replication (CRR): To overcome the problem of a single point of failure and improve data availability, you can use the Cross-Region Replication (CRR) functionality. CRR not only ensures data availability but also helps you meet regulatory requirements if your data must be stored in multiple places.
  • Choosing levels of availability based on workload requirements: Because S3 services come in a variety of availability levels, use IA storage for low-priority applications and then upgrade to a higher-availability service when your IT workloads demand it.

Also Read: Threat Hunting using DNS logs – Soc Incident Response Procedure

6-Implementing S3 Object Locking:

  • Data deletion from S3 is challenging due to S3 Object Locking. Attackers are mostly interested in stealing data or erasing data or assets.
  • The latter is addressed by S3 Object Locking, which prevents an object from being deleted or replaced. It effectively makes the S3 object everlasting by allowing users to control object retention in one of two ways: by specifying a retention period or by placing a legal hold on it until users release it.
  • S3 Object Lock also supports compliance with WORM-required regulatory standards, or simply for compliance purposes that necessitate the establishment of an extra layer of security.

Conclusion:

AWS delivers a high level of security if properly configured. However, the organization lacks the necessary analytics and skills to manage highly secure AWS infrastructures. Hopefully, by following the approaches and methods mentioned in this article, organizations will be able to prevent misconfiguring S3 buckets to avoid data breaches.

Previous articleAdvance Mitre Threat Mapping – Attack Navigator & TRAM Tools
Next articleSigcheck v2.82 – Quick Malware Auditing for Incident Responders
Anusthika Jeyashankar
Anusthika Jeyashankar
https://www.socinvestigation.com
Ambitious Blue Teamer; Enthused Security Analyst

LEAVE A REPLY

Please enter your comment!
Please enter your name here