S3 Bucket:
Amazon Simple Storage Service (S3) is an AWS service for users to store data in a secure manner. S3 Bucket permissions are secure by default. But while configuring the permissions and policies, there are chances to expose your bucket and its object publicly.
Access Control Lists (ACLs):
S3 access control lists can be applied at the bucket level as well as at the object level.
1.READ: This allows the user to list the objects in a bucket and to read the contents as well as the metadata of an object.
2.WRITE: This allows the user to create, overwrite, and delete objects in a bucket.
3.READ_ACP: This allows the user to read the bucket and object access control list.
4.WRITE_ACP: This allows the user to set an access control list for a bucket and object.
As a penetration tester, a quick check for the existence of S3 buckets can be done as follows.
S3 Bucket Enumeration:
nslookup will help to find the region of the site.
Once a region is determined, you can then start general querying and enumeration of bucket names. To determine whether the bucket name is valid or not, we can either navigate to S3 URL given by Amazon (format: http://bucketname.s3.amazonaws.com) or use the command line which is as follows:
sudo aws s3 ls s3://$bucketname/ --region $regionIf the above command returns the list of objects, then we found the bucket with read access permission.
You can use many online tools that are available to find the S3 bucket of a website. Some of the are listed below:
1) S3Scanner
2) Lazy S3
3) S3 Bucket Finder
S3 Bucket Permission Misconfiguration:
The buckets and the objects can have different AWS S3 permissions. Permissions on buckets and objects can be given to all anonymous users(public), authenticated users(includes anyone with a free AWS account), specific users, or groups of users. The most common misconfigurations result from who is allowed access to a resource.
Weak S3 Permissions
By default, the bucket is private. When a bucket is set as “Public” and giving bucket and object ACL permission to everyone, any user on the internet can list the object of that bucket. When objects inside this bucket made public then any users can able to download files. This was demonstrated as follows.
1. In the bucket, “block public access” is disabled and “ACL” permission is given to everyone that allows the public user to list the objects in the bucket.
2. A completely unrelated AWS account can download the files using the s3api get-object command to pass credentials, as shown in this screenshot.
aws s3api get-object –bucket $bucketname –key $filename $filename
Overly permissive bucket policies:
Using bucket policies we can give permissions to users. The below example shows the policy allows the “s3:GetObject” action on the resource “arn:aws:s3:::awsdemonstration/*” for a wildcard principal “*”.
Bucket policy vs IAM policy:
Unlike ACLs and bucket policies, IAM policies are applied to IAM users/groups. Using an IAM policy, we can give an IAM user access to S3 resources. So even if the bucket policy gives limited permission to IAM users, an overly permissive IAM policy can provide full access to the bucket. This was demonstrated as follows.
- Below bucket policy shows IAM user has only “GetObject” permission.
2. The below IAM policy gives full access to the IAM user.
3. The below screenshot shows that IAM users can delete the object in the bucket because of the misconfigured IAM policy.
S3 Access Point:
Access points are named network endpoints that are attached to buckets that are used to perform S3 object operations. Each access point has distinct permissions and policies that S3 is accessed through that access point. The access point policy may provide too much permission to the user. The below policy gives full access to the user over the bucket.
Remediation:
1. Unless you explicitly require anyone on the internet to be able to read or write to your S3 bucket, you should ensure that your S3 bucket is not public.
2. Identify Amazon S3 bucket policies that allow a wildcard identity such as Principal “*” (which effectively means “anyone”) or allows a wildcard action “*” (which effectively allows the user to perform any action in the Amazon S3 bucket).
3. Similarly, note Amazon S3 bucket access control lists (ACLs) that provide read, write, or full-access to “Everyone” or “Any authenticated AWS user.”
4. Implement least privilege access — when granting permissions, decide who is getting what permissions to which Amazon S3 resources.
5. Implement monitoring using AWS monitoring tools.
References:
