what seemed to be an obvious configuration mistake, two primary reasons surfaced:
1. Too Much Flexibility (Too Many Options) Turns into Easy Mistakes
There are five different ways to configure and manage access to S3 buckets.
The more ways to configure implies more flexibility but also means that higher chances of making a mistake. The other challenge is that there are two separate policies one for buckets and one for the objects within the bucket which make things more complex.
2. A “User” in AWS is Different from a “User” in your Traditional Datacenter
On an AWS account, the “Everyone” group includes all users (literally anyone on the internet) and “AWS Authenticated User” means any user with an AWS account
S3 Security Checklist
- Audit for Open Buckets Regularly
- Encrypt the Data
- Encrypt the Data in Transit
- Enable Bucket Versioning
- Enable MFA Delete
- Enable Logging
- Monitor all S3 Policy Changes
- Track Applications Accessing S3
- Limit Access to S3 Buckets
- Close Buckets in Real time
http://infosecisland.com/blogview/25056-Avoiding-Holes-in-Your-AWS-Buckets.html
No comments:
Post a Comment