AWS S3 Buckets with neither the full set of Public Access Blocks nor a Bucket Policy that prevents public access should consider their hosted data publicly accessible
Amazon S3 is an internet accessible data storage service that allows users to store data in the cloud. This data can be made available to applications or other users in a redundant, easily accessible and maintainable manner. However, since AWS S3 is an internet-accessible service, data must be protected through strong configuration settings as there are no built-in network protections to rely on.
The security of your data is entirely dependent on your configuration including implementing safeguards against general public access to your data. In AWS S3, blocking public access to data can be done through bucket Policies and by applying Public Access Blocks, however a combination of both is ideal.
Having neither a Bucket Policy that blocks public access nor all of the Public Access Blocks can leave your bucket’s data open to access from anyone on the internet. This has been a problem for numerous organisations who have suffered total data breaches due to this lack of configuration
The simplest and most effective remediation is to apply Public Access Blocks to all buckets. These blocks take precedence over Bucket Policies and are much less complex to implement and manage.
Once you have implemented Public Access Blocks, you should review your Bucket Policies to ensure they not only block public access explicitly but also appropriately configure bucket access and activity. This includes ensuring that communications occur over encrypted channels and that bucket access aligns with operational requirements, such as obligations in your cybersecurity policies.
SkySiege Cloud Assessments automatically calculate which buckets both lack Public Access Blocks as well as have an unsuitable bucket policy. Any buckets that fail the assessment are added to the report providing a global list of all buckets potentially containing public data.
Additionally, SkySiege for Organisations customers get automated fixes to their buckets, providing single click deployments of fixes providing immediate data protections. This also includes deployment of a secure standard Bucket Policy utilised in regulated financial services environments bringing your organisation up to the highest base standards faster than others.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports.
Available for individual projects or organisations.
