Amazon S3 Security Attacks and Defense

I attended aws community day south asia and came across a interesting seminar related to S3 Attack and its defense i have shared my learning below

Agenda:

• aws S3 attack/breach Scenarios
• Introduction to threat modeling
• Threat Modeling in　S3
• Preventing
• Detecting
• Hands On with S3　audit

S3 attack/breach Scenarios

Scenario 1: Misconfigured S3 Bucket with Customer Data

Scenario 2: github code commited with aws access keys associated with S3 Permissions to customer Bucket

Scenario 3: Attackers encrypting S3 buckets in victim aws  account with their own kms keys S3 ransomware Scenarios

Scenario Nth: there could be n Different Such Scenario to tackel

Introduction: Threat modeling

Threat: Any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

Core steps for threat modelling:

1. Identify assets, actors, entry points, components, use cases, and trust levels, and include these in a design diagram.

2. Identify a list of threats.

3. Per threat, identify mitigations, which may include security control implementations.

4. Create and review a risk matrix to determine if the threat is adequately mitigated.

Threat modeling : S3

1. pick one feature of s3 involve in your data flow diagram
2. Identify Associated IAM/Bucket Action.
3. Create threat list and map it to the Mitter Attack
4. Set Security control objective and priorities
5. Testing and validation

参照URL：https://trustoncloud.com/the-last-s3-security-document-that-well-ever-need/

Preventing

• Correct Policies and no Public Access
• Least Privilege Access
• Use of IAM Roles to access S3 Buckets
• Enable MFA Delete
• Encryption at Rest
• Encryption at Transit
• Use S3 Object Lock Use S3 Cross Region
• Replication for backups
• Use VPC endpoints for S3 Access

Detecting

• Identify and Audit all your S3 buckets
• Monitoring S3 Bucket Activity (S3 API calls)
• Enable S3 Server
• Access Logging
• Use AWS Cloudtrail to record S3 Data Events
• Enable AWS Config to simplify auditing for misconfigurations
• Use AWS Macie to protect sensitive info.
• Check Trusted Advisor

Hand on

Introduction: S3audit

s3audit checks your buckets against a number of good practices to provide clear, actionable insights into the health of your configurations. These checks include:

• Does a public access configuration exist to block public access of the bucket and objects?
• Do bucket ACLs or policies allow public access?
• Is server side encryption enabled by default?
• Is object versioning and MFA delete enabled?
• Is static website hosting disabled?

prerequisite:

npm install -g s3audit

s3audit --bucket=<bucket name>

Resources