AWS S3 Buckets allow for unencrypted uploads which need to be blocked via Bucket Policy
Amazon S3 is an older cloud service and has retained functionality to accommodate older software. This includes accepting data uploads via unencrypted HTTP which was common before the widespread adoption of TLS (Transport Layer Security). Whilst this functionality allows for older software to upload to S3 it comes with numerous security concerns as it fully exposes all uploaded data to any machines in the vicinity of the traffic’s route.
It is essential to implement a policy that explicitly denies uploading to S3 using insecure connections to protect the provided data as well as the uploader themselves. By uploading over an insecure connection all data - including any metadata related to the user and client performing the upload - are transmitted in plaintext. This exposes not only the content but also identifying information for the uploader to any systems that have access to the raw traffic such as ISPs, corporate networks, local networks and others.
Even if the uploaded data may be intended to be made publicly accessible, unencrypted transmissions unnecessarily exposes sensitive information during the upload. As AWS S3 Services accept encrypted traffic and most applications are capable of encrypted connections there’s no reason to allow for unencrypted uploads. Blocking unencrypted uploads ensures that sensitive details are not discernible to anyone other than the AWS S3 service and the user uploading the content.
Ensure that all buckets have a statement in their Bucket Policy that Denys any upload actions with the condition that secure transportation equals false. This statement needs to be integrated into all Bucket Policies across all buckets.
SkySiege provides this policy as part of their Cloud Assessments such that any buckets detected accepting insecure uploads are able to be quickly configured. SkySiege Cloud Assessments also provide a full list of all buckets found that accept insecure uploads allowing you to move straight to fixes without having to investigate and discover which buckets are insecure.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports.
Available for individual projects or organisations.
