“Previously available only to Business and Enterprise support customers, [the S3 bucket permissions check] identifies S3 buckets that are publicly accessible due to ACLs or policies that allow read/write access for any user”, said AWS.
This process is provided through AWS Trusted Advisor, an online tool AWS-based, that helps users inspect their AWS environment, improve system performance and reliability, optimize costs, and close security issues.
AWS has available seven core security checks for free. S3 bucket permissions is one of them now. It checks bucket policies and bucket access control lists (ACLs) to identify publicly accessible buckets.
“There are two ways that S3 buckets can be made publicly accessible: through bucket policies and ACLs,” the company explains.
“Bucket permissions check does not check object ACLs, which can allow everyone in the world or any authenticated AWS user to access the object and its permissions. An object can also be publicly accessible through the object’s ACLs. When an object is publicly accessible through the READ ACL, it allows access to the contents of the object. With READ_ACP and WRITE_ACP ACLs, grantees can also read and modify the object ACLs respectively.”
“Bucket permissions check makes it easier to identify S3 buckets that provide public read and write access. You can also view whether the source for the public access is a bucket policy, a bucket ACL, or both. If you change a bucket policy or a bucket ACL, the Amazon S3 console analyzes them in real time and alerts you if those changes enable public read and write access on the bucket.”
This new feature is composed by:
- Public – Publicly accessible by either everyone in the world or by any authenticated AWS user.
- Not public – The bucket is not publicly accessible but objects in it might be due to object ACLs.
- Access denied – Customer is locked out of the bucket.
- Error – Means that a service-related error occurred.
- Undetermined – Amazon S3 can’t determine whether the bucket is publicly accessible.
The list can be organized so the customer can easily see more specific access information, i.e., which bucket has Read and/or Write access permissions and to see the “source” of that access (an ACL or a Bucket policy, or both).
One Reply to “AWS offers S3 bucket permissions to prevent data breaches”