Amazon S3 Security Attacks and Defense



I attended aws community day south asia and came across a interesting seminar related to S3 Attack and its defense i have shared my learning below


  • aws S3 attack/breach Scenarios
  • Introduction to threat modeling
  • Threat Modeling in S3
  • Preventing
  • Detecting
  • Hands On with S3 audit

S3 attack/breach Scenarios

Scenario 1: Misconfigured S3 Bucket with Customer Data

Scenario 2: github code commited with aws access keys associated with S3 Permissions to customer Bucket

Scenario 3: Attackers encrypting S3 buckets in victim aws  account with their own kms keys S3 ransomware Scenarios

Scenario Nth: there could be n Different Such Scenario to tackel


Introduction: Threat modeling

Threat: Any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

Core steps for threat modelling:

  1. Identify assets, actors, entry points, components, use cases, and trust levels, and include these in a design diagram.

  2. Identify a list of threats.

  3. Per threat, identify mitigations, which may include security control implementations.

  4. Create and review a risk matrix to determine if the threat is adequately mitigated.

Threat modeling : S3

  1. pick one feature of s3 involve in your data flow diagram
  2. Identify Associated IAM/Bucket Action.
  3. Create threat list and map it to the Mitter Attack
  4. Set Security control objective and priorities
  5. Testing and validation


  • Correct Policies and no Public Access
  • Least Privilege Access
  • Use of IAM Roles to access S3 Buckets
  • Enable MFA Delete
  • Encryption at Rest
  • Encryption at Transit
  • Use S3 Object Lock Use S3 Cross Region
  • Replication for backups
  • Use VPC endpoints for S3 Access


  • Identify and Audit all your S3 buckets
  • Monitoring S3 Bucket Activity (S3 API calls)
  • Enable S3 Server
  • Access Logging
  • Use AWS Cloudtrail to record S3 Data Events
  • Enable AWS Config to simplify auditing for misconfigurations
  • Use AWS Macie to protect sensitive info.
  • Check Trusted Advisor

Hand on

Introduction: S3audit

s3audit checks your buckets against a number of good practices to provide clear, actionable insights into the health of your configurations. These checks include:

  • Does a public access configuration exist to block public access of the bucket and objects?
  • Do bucket ACLs or policies allow public access?
  • Is server side encryption enabled by default?
  • Is object versioning and MFA delete enabled?
  • Is static website hosting disabled?


you should have aws account
configured aws cli with credentials
s3 bucket
npm install -g s3audit
s3audit --bucket=<bucket name>