Yes, yes, I'm late to the party, I know. Poorly secured Amazon S3 buckets have been a thing for a while now, but recently there's been a large uptick again as some awesome tools were written to help find these misconfigured buckets. Let's chat a little about the problem at hand and show-off some cool tools!
Why all the drama about S3 Buckets?
You mentioned tools...?
- https://github.com/gwen001/s3-buckets-finder (PHP?? Yeah, that's still a thing)
- https://github.com/Ucnt/aws-s3-bruteforce (Python)
- https://github.com/nahamsec/lazys3 (Ruby)
Fixing insecure bucketsLike all of my previous posts, I always try to include a section on remediating the discussed risk. So, let's do just that.
You will need access to your organization's AWS management console and an account with enough permission to administrate your S3 buckets.
- Sign into your AWS management console
- Navigate to Amazon S3 (using search or the option under the millions of services)
- In the bucket listing, ensure none say Public under Access
- For a bucket you want to remove public access, click the bucket name, then click the Permissions tab
- Under Public Access, ensure there are no permissions granted (refer to image below)