AWS S3 offers Public Access Blocks to over-ride bucket changes that leak data. Implementing all Public Access Blocks should be a standard policy for all buckets
The AWS S3 service is an internet accessible storage service that contains data in S3 Buckets that are individually configured with specific access and security considerations for the data held in that bucket. As the S3 service is an internet accessible data storage service the data stored on S3 is by it’s nature accessible over the internet with configuration being the only method to control access rights to the data.
As with all things internet accessible, unauthorised access to data hosted in S3 has been relatively common with multiple large and small organisations leaving their data internet accessible and without authentication and authorisation protection.
As misconfiguration of S3 permissions has frequently lead to unauthorised access to data, AWS provides an additional layer of protection by implementing Public Access Blocks which provided over-riding controls preventing any public access to data despite configurations elsewhere. This forces AWS entities to navigate multiple steps to make data in their S3 buckets publicly accessible.
In most professional scenarios, there’s no reason to allow direct internet access to your data hosted on S3. Instead, it’s better to provide access through an intermediary service, like CloudFront or a dedicated application which can act as a controlled access point. This method offers greater control and protection against unauthorised use above and beyond what the S3 service provides. Therefore, blocking public access is a fundamental part in a default policy for all buckets.
Ensure that all your S3 buckets have Public Access Blocks configured correctly. In total there’s four public access blocks:
BlockPublicAcls - Which causes all future uploads where objects are marked as publicly accessible to fail. This prevents new data objects from being made explictly public.IgnorePublicAcls - Causes the AWS S3 service to ignore any objects which are already categorised as publicly accessible. Hence with this setting all public objects which have explicit permissions to make them public are blocked.BlockPublicPolicy - This setting instructs the S3 service to block changes to the Bucket Policy which would allow objects in the bucket to become public.RestrictPublicBuckets - Restricts access to a bucket by replacing public access with access limited exclusively to users within the account. This serves as a final safeguard, ensuring that if any other access controls fail, only authorized IAM entities within your AWS account have the minimum level of access, preventing permissions from extending beyond those entities.SkySiege’s Cloud Assessments evaluate both the configuration of Bucket Policies and the overall Public Access Blocks providing a clear picture of your data’s public exposure.
Additionally, SkySiege for Organisations offer automated remediation features that can quickly identify and apply necessary fixes to all affected buckets within your organisation. This includes default Bucket Policies that bring your bucket’s security up to the standards we apply in financial services.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports.
Available for individual projects or organisations.