I attended aws community day south asia and came across a interesting seminar related to S3 Attack and its defense i have shared my learning below
- aws S3 attack/breach Scenarios
- Introduction to threat modeling
- Threat Modeling in S3
- Hands On with S3 audit
S3 attack/breach Scenarios
Scenario 1: Misconfigured S3 Bucket with Customer Data
Scenario 2: github code commited with aws access keys associated with S3 Permissions to customer Bucket
Scenario 3: Attackers encrypting S3 buckets in victim aws account with their own kms keys S3 ransomware Scenarios
Scenario Nth: there could be n Different Such Scenario to tackel
Introduction: Threat modeling
Threat: Any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
Core steps for threat modelling:
- Identify assets, actors, entry points, components, use cases, and trust levels, and include these in a design diagram.
Identify a list of threats.
Per threat, identify mitigations, which may include security control implementations.
Create and review a risk matrix to determine if the threat is adequately mitigated.
Threat modeling : S3
- pick one feature of s3 involve in your data flow diagram
- Identify Associated IAM/Bucket Action.
- Create threat list and map it to the Mitter Attack
- Set Security control objective and priorities
- Testing and validation
- Correct Policies and no Public Access
- Least Privilege Access
- Use of IAM Roles to access S3 Buckets
- Enable MFA Delete
- Encryption at Rest
- Encryption at Transit
- Use S3 Object Lock Use S3 Cross Region
- Replication for backups
- Use VPC endpoints for S3 Access
- Identify and Audit all your S3 buckets
- Monitoring S3 Bucket Activity (S3 API calls)
- Enable S3 Server
- Access Logging
- Use AWS Cloudtrail to record S3 Data Events
- Enable AWS Config to simplify auditing for misconfigurations
- Use AWS Macie to protect sensitive info.
- Check Trusted Advisor
s3audit checks your buckets against a number of good practices to provide clear, actionable insights into the health of your configurations. These checks include:
- Does a public access configuration exist to block public access of the bucket and objects?
- Do bucket ACLs or policies allow public access?
- Is server side encryption enabled by default?
- Is object versioning and MFA delete enabled?
- Is static website hosting disabled?
npm install -g s3audit
s3audit --bucket=<bucket name>