Top 16 AWS S3 Misconfigurations To Avoid in 2021

Top 16 AWS S3 Misconfigurations To Avoid in 2021

Amazon S3 (Amazon Simple Storage Service) is an object storage service. It is the most popular public cloud service that offers data availability, security, and performance. It is used by both small and large businesses. To automatically monitor all your AWS resources for any security issues and potential exposure, AWS S3 is a great way to do it. You can use many online tools to find S3 buckets on a website.

Here are few AWS S3 Misconfigurations that you can avoid in 2021.

  • Access Logging Enabled

The first misconfiguration in AWS S3 is not having S3 bucket access logging enabled on the CloudTrail S3 bucket. It is crucial to check S3 bucket access logging is enabled on the CloudTrail S3 bucket. Furthermore, taking care of this misconfiguration helps you comply with the following compliance standards – CIS, SOC2, PCI, HIPAA, APRA, MAS, GDPR, NIST.

  • S3 Buckets Public Access Block

To avoid any misconfigurations, ensure that your S3 bucket used to store CloudTrail logs is not publicly accessible. Monitoring the use of information system accounts will provide better security.

  • S3 Bucket Default Encryption

Ensure that your S3 buckets have default encryption (SSE) enabled, or they are using a bucket policy to enforce it. Having this configuration can improve your security standards. This is also one step closer to be PCI, HIPAA, GDPR, MAS, NIST, and APRA compliant.

  •  S3 HTTPS Only

Another misconfiguration is if your S3 buckets do not have a secure transport policy. Having S3 buckets with a secure transport policy can help you achieve PCI, SOC2, APRA, MAS, HIPAA, and NIST compliance.

  • S3 Does Not Allow Public Writes

Misconfigurations can be avoided by checking if S3 buckets have policies that allow public WRITE access. Having S3 buckets with policies that allow public WRITE access violates the PCI, APRA, MAS, and NIST compliance standards.

  • S3 Bucket Authenticated Users WRITE Access

Building on the above misconfiguration, another very common misconfiguration is allowing WRITE access to AWS authenticated users. You must ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs. 

  • S3 Bucket Public Access Via Policy

S3 bucket policies should not allow all actions for all principals. Ensure that your S3 buckets do not allow public access via bucket policies. This helps you comply with PCI, CBP, GDPR, APRA, MAS, and NIST compliance standards.

  • S3 Bucket Public FULL CONTROL Access

IAM policies should not allow broad list actions on S3 buckets. By ensuring that your AWS S3 buckets are not publicly exposed to the internet, you can protect yourself from misconfigurations. Compliance standards that require you to get rid of such a misconfiguration are PCI, CBP, APRA, MAS, and NIST.

  • S3 Bucket Authenticated Users FULL CONTROL Access

IAM policies should not allow broad list actions on S3 buckets. Ensure that your S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs. Compliance standards that require you to get rid of such a misconfiguration are PCI, CBP, APRA, MAS, and NIST.

  • S3 Bucket Public READ Access

Allowing public READ access to AWS S3 buckets is a misconfiguration. Make sure that your S3 buckets do not allow public READ access. PCI, GDPR, APRA, MAS, and NIST require you to not have such a misconfiguration.

  • S3 Bucket Authenticated Users READ Access

Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs. PCI, Compliance standards required for this are APRA, MAS, NIST.

  • S3 Bucket Public READ ACP Access

By ensuring your S3 buckets do not allow public READ_ACP access, you can protect your organization from any security misconfiguration. Furthermore, you can be PCI, APRA, MAS,  and NIST compliant by getting rid of this misconfiguration.

  • S3 Bucket Authenticated Users READ ACP Access

Similar to the above misconfiguration, ensure S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs. 

  • S3 Bucket Public WRITE_ACP Access

Another very common misconfiguration is allowing public WRITE_ACP access. You should ensure that AWS S3 buckets do not allow public WRITE_ACP access. That way, you can be PCI, APRA, MAS, and NIST compliant.

  • S3 Bucket Authenticated Users WRITE_ACP Access

Similarly, ensure that your AWS S3 buckets do not allow WRITE_ACP access to AWS authenticated users using ACLs. 

  • Server-Side Encryption

Ensure that your AWS S3 buckets enforce Server-Side Encryption (SSE). This will help you achieve PCI, SOC2, HIPAA, GDPR, APRA, MAS, and NIST compliance.

Conclusion

AWS provides many practices, and to ensure proper access and authentication, they should be implemented. The simpler it is to create S3 buckets, the easier it is to make mistakes that can lead to security threats and end up in the exposure of all your data to the internet. By following these simple steps, you can protect your company from any misconfigurations.

Cloudanix provides you with a recipe for best practices for S3 that helps audits your AWS account for these misconfigurations and more! We also help you remediate these misconfigurations in an automated way! What’s more? You can sign up for a free trial here today!