Amazon S3 Security Attacks and Defense

2021.10.29

I attended aws community day south asia and came across a interesting seminar related to S3 Attack and its defense i have shared my learning below

Agenda:

  • aws S3 attack/breach Scenarios
  • Introduction to threat modeling
  • Threat Modeling in S3
  • Preventing
  • Detecting
  • Hands On with S3 audit

S3 attack/breach Scenarios

Scenario 1: Misconfigured S3 Bucket with Customer Data

Scenario 2: github code commited with aws access keys associated with S3 Permissions to customer Bucket

Scenario 3: Attackers encrypting S3 buckets in victim aws  account with their own kms keys S3 ransomware Scenarios

Scenario Nth: there could be n Different Such Scenario to tackel

 

Introduction: Threat modeling

Threat: Any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

Core steps for threat modelling:

  1. Identify assets, actors, entry points, components, use cases, and trust levels, and include these in a design diagram.

  2. Identify a list of threats.

  3. Per threat, identify mitigations, which may include security control implementations.

  4. Create and review a risk matrix to determine if the threat is adequately mitigated.

Threat modeling : S3

  1. pick one feature of s3 involve in your data flow diagram
  2. Identify Associated IAM/Bucket Action.
  3. Create threat list and map it to the Mitter Attack
  4. Set Security control objective and priorities
  5. Testing and validation
参照URL:https://trustoncloud.com/the-last-s3-security-document-that-well-ever-need/

Preventing

  • Correct Policies and no Public Access
  • Least Privilege Access
  • Use of IAM Roles to access S3 Buckets
  • Enable MFA Delete
  • Encryption at Rest
  • Encryption at Transit
  • Use S3 Object Lock Use S3 Cross Region
  • Replication for backups
  • Use VPC endpoints for S3 Access

Detecting

  • Identify and Audit all your S3 buckets
  • Monitoring S3 Bucket Activity (S3 API calls)
  • Enable S3 Server
  • Access Logging
  • Use AWS Cloudtrail to record S3 Data Events
  • Enable AWS Config to simplify auditing for misconfigurations
  • Use AWS Macie to protect sensitive info.
  • Check Trusted Advisor

Hand on

Introduction: S3audit

s3audit checks your buckets against a number of good practices to provide clear, actionable insights into the health of your configurations. These checks include:

  • Does a public access configuration exist to block public access of the bucket and objects?
  • Do bucket ACLs or policies allow public access?
  • Is server side encryption enabled by default?
  • Is object versioning and MFA delete enabled?
  • Is static website hosting disabled?

prerequisite:

you should have aws account
configured aws cli with credentials
s3 bucket
npm install -g s3audit
s3audit --bucket=<bucket name>

 

Resources