AWS S3 Bucket Policies should deny public access to S3 data. This should be part of a standard bucket policy applied to all buckets within your organisation
AWS S3 is an internet-accessible data storage service that hosts your data in Amazon’s data centers. As an internet accessible service your data has to be made accessible to upload and download over AWS’ services meaning that your data’s protection requires suitable configuration and access management.
To manage and protect the integrity and security of your data, AWS S3 provides several controls with the AWS S3 Bucket Policy being the central control mechanism. The Bucket Policy allows you to have fine-grained control over various aspects of how your data is transmitted, stored and accessed via the S3 service.
One important feature of an AWS S3 Bucket Policy is providing control over which data is publicly accessible. Publicly accessible means that anyone can request data from the bucket and the AWS S3 service will provide the data without requiring authentication or authorisation. All it takes is a web request to the S3 APIs, S3 website endpoints, or S3 URL locations to retrieve that data. To prevent this buckets should be configured to block public access to data. If data is meant to be accessible it should be made so via an intermediary service such as CloudFront or a dedicated application which can manage access to your objects and provide protection from malicious requests and general traffic control.
Determine an appropriate bucket policy as a standard which should be applied to all buckets. This can include statements which block access to the bucket unless you’re an authenticated identity within that bucket’s AWS account. You can also include requirements that all AWS bucket uploads must happen over encrypted connections and other core functionality and requirements.
Once a standard policy is determined, ensure all your buckets have this policy applied. It’s entirely possible for AWS S3 buckets to not have a policy at all, hence you’ll need to ensure that all buckets are checked and your standard policy applied.
Determining a standard Bucket Policy depends on your organisation’s obligations and requirements. This can stem from your legal obligations, regulatory requirements and your cybersecurity policies from your insurance. Your organisation’s security posture would need to be determined and calculated into an appropriate standard policy.
SkySiege Cloud Assessments determine whether a Bucket Policy is publicly accessible automatically and provides a full inventory of all buckets which are publicly accessible.
SkySiege for Organisations also includes a standard Bucket Policy which has been used in regulatory environments within financial services as a standard policy. This policy provides the highest baseline standard and comes with the capability to automatically deploy to all buckets within your organisation.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports.
Available for individual projects or organisations.
