Some days ago i've written about AWS S3 security concerns, with a post about some tools to find unsecured buckets.
Today i've read on infosec Island this article by Sanjay Kalra, focused precisely on S3 security, with a useful security checklist.

Sanjay explain that often, a customer moving from traditional enterprise can easily misread the meaning of the S3 access groups:

For traditional enterprises the concept of a “user” typically means a member of the enterprise. In AWS the definition of user is different. On an AWS account, the “Everyone” group includes all users (literally anyone on the internet) and “AWS Authenticated User” means any user with an AWS account. From a data protection perspective, that’s just as bad because anyone on the Internet can open an AWS account.

Here Sanjay's checklist:

Audit for Open Buckets Regularly
On regular intervals check for buckets which are open to the world. Malicious users can exploit these open buckets to find objects which have misconfigured ACL permissions and then can access these compromised objects. Please refer to this article for some useful tool.

Encrypt the Data
Enable server-side encryption on AWS as then it will encrypt the data at rest i.e. when objects are written and decrypt when data is read.

Encrypt the Data in Transit
SSL in transport helps secure data in transit when it is accessed from S3 buckets. Enable Secure Transport in AWS to prevent man in middle attacks.

Enable Bucket Versioning
Ensure that your AWS S3 buckets have the versioning enabled. This will help preserve and recover changed and deleted S3 objects which can help with ransomware and accidental issues.

Enable MFA Delete
The "S3 Bucket" can be deleted by user even if he/she does not login using MFA by default. It is highly recommended that only users authenticated using MFA have ability to delete buckets. Using MFA to protect against accidental or intentional deletion of objects in S3 buckets will add an extra layer of security

Enable Logging
If the S3 buckets has Server Access Logging feature enabled you will be able to track every request made to access the bucket. This will allow user to ability to monitor activity, detect anomalies and protect against unauthorized access

Monitor all S3 Policy Changes
AWS CloudTrail provides logs for all changes to S3 policy. The auditing of policies and checking for public buckets help - but instead of waiting for regular audits, any change to the policy of existing buckets should be monitored in real time.

Track Applications Accessing S3
In one attack vector, hackers create an S3 bucket in their account and send data from your account to their bucket. This reveals a limitation of network-centric security in the cloud: traffic needs to be permitted to S3, which is classified as an essential service. To prevent that scenario, you should have IDS capabilities at the application layer and track all the applications in your environment accessing S3. The system should alert if a new application or user starts accessing your S3 buckets.

Limit Access to S3 Buckets
Ensure that your AWS S3 buckets are configured to allow access only to specific IP addresses and authorized accounts in order to protect against unauthorized access.

Close Buckets in Real time
Even a few moments of public exposure of an S3 bucket can be risky as it can result in leakage. S3 supports tags which allows users to label buckets. Using these tags, administrators can label buckets which need to be public with a tag called “Public”. CloudTrail will alert when policy changes on a bucket and it becomes public which does not have the right tag. Users can use Lambda functions to change the permissions in real-time to correct the policies on anomalous or malicious activity.


References and further readings