AWS S3 Buckets should enforce the transfer of ownership for objects upon upload.
AWS S3 is one of Amazon’s oldest services, which comes with several legacy design patterns that have been maintained for compatibility and differentiate AWS S3 against more isolated AWS services. Although S3 operates within the strict IAM policies and access controls of the broader Amazon Web Services (AWS) ecosystem, S3 exhibits some unique characteristics more typical of an online data hosting platform than an enterprise cloud service.
One such characteristic is the ability for both users and anonymous users to upload data to buckets owned by AWS customers without transferring ownership rights of those objects to the bucket owner. This essentially transforms the bucket into a hosting hub, allowing users to store their own data while leaving the bucket owner without ownership rights over that data.
This configuration does not match most use cases as in most legal and data contexts, the bucket owner is considered liable for the management and custody of data stored in cloud resources. As a bucket serves as a logical container for isolating data, there are very few scenarios where an enterprise would want to own the bucket but not have complete access or ownership of the data within it. In most situations, the bucket owner is liable for the data, making it prudent to ensure that the data is technically owned by them as well.
To address this issue, AWS provides controls to enforce that any object uploaded to a bucket has its ownership transferred to the bucket owner, including both pre-existing settings and mandatory ownership transfer mechanisms upon upload.
We recommend implementing a bucket policy that ensures all objects uploaded to your bucket enforce the transfer of ownership. This step guarantees that you gain full technical ownership of any data that finds its way into your buckets. This straightforward policy can be applied directly to each bucket and can typically be enforced as a bucket policy or as an overarching account and organisation control for all buckets. This requires setting ACLs to Disabled and the setting to Bucket Owner Enforced. Doing this will apply ownership to all new and previous objects in that bucket providing technical ownership of the objects.
With the number of S3 buckets configured across AWS the only sensible method to detect and manage this setting is via automated scanning and testing. SkySiege Cloud Assessments will provide this data to you the same day and give you a single list of all buckets failing this check:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
