AWS S3 bucket should not have upload or delete permissions for all the users

AWS-S3-Bucket-Permissions_Security-Audit

Every Organization wants to focus on their business rather than getting worried about security threat looming around their cloud resources. Most users deploy their maximum workload on S3 buckets. It is necessary to follow certain recommendations for AWS S3 and S3 bucket permissions which ensure the security of their bucket data.

AWS S3 bucket permissions for data storage security

The resource owner and the AWS account who creates S3 buckets have all the permissions to access the objects stored within those buckets. It is recommended not to grant upload/delete permission to just any AWS user or resource. Granting these permissions allows any unauthorized AWS user to upload any file or delete any file in the S3 bucket. This can increase the probability of data misuse or other security attacks.

There can be a possibility where the users have numerous buckets in their cloud infrastructure and there might exist a couple of buckets containing sensitive data and having such permissions enabled for all unauthorized users. The user might not be aware of such buckets.

Centilytics has a dedicated insight for AWS S3 bucket permissions. This insight lists down all your buckets having upload/delete permissions enabled for AWS users. It, therefore, helps the users to take necessary actions and change permissions for their S3 buckets.

Insight descriptions:

There can be 2 possible scenarios:

Severity Description
WARNING This indication will be displayed when the corresponding S3 bucket has list access for any authenticated AWS user. Or if the bucket allows any kind of open access. Or if the bucket permission cannot be determined.
CRITICAL This indication will be displayed when the corresponding S3 bucket has upload/delete permission for everyone or for any authenticated AWS user.

 

Description of further columns are as follows:

  1. Account Id: This column Shows the respective account ID of the user’s account.AWS S3 1
  2. Account Name: This column shows the corresponding account name to the user’s account.AWS S3 3
  3. Region: This column shows the region in which the bucket exists.AWS S3 4
  4. Identifier: This column shows the corresponding bucket name.AWS S3 2
  5. Permissions: This column shows the permissions corresponding to the S3 bucket.AWS S3 5

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Region Applying the region filter will display data according to the selected region.
Severity Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for Warning and Ok severity types

 

Compliances covered:

Compliance Name Reference No. Link
Trusted Advisor https://console.aws.amazon.com/trustedadvisor/home?#/category/security

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here