aws vulnerabilities s3 Public S3 bucket through bucket policy

Public S3 bucket through bucket policy

PLATFORM

SERVICE

s3

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

medium

About

S3 buckets can have bucket policies attached to them. Bucket policies that are configured incorrectly may allow public access to the data and configuration of the bucket.

Understanding Impact

Business Impact

S3 buckets are used for data storage. Publicly exposed buckets frequently lead to data leaks or ransomware.

Technical Impact

When a bucket policy allows IAM actions from any principal, it effectively makes it public, giving an attacker read/write access to the bucket contents.

Identify affected resources

Use the following command to retrieve a bucket's policy:

aws s3api get-bucket-policy --bucket your-bucket

If the bucket has no policy defined (NoSuchBucketPolicy), it is not vulnerable.

If the bucket policy grants actions to unauthenticated principals, the bucket is vulnerable.

Here is a sample vulnerable bucket policy that allows anyone to read objects inside it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicRead",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket",
                "arn:aws:s3:::your-bucket/*"
            ]
        }
    ]
}

You can also check if the bucket is publicly accessible by attempting to access it in an unauthenticated fashion.

aws s3 --no-sign-request ls bucket
aws s3 --no-sign-request cp s3://bucket/test.txt /tmp/test.txt
aws s3 --no-sign-request cp /tmp/test.txt s3://bucket/test.txt

Remediate vulnerable resources

Remove or modify the bucket policy so it does not allow public access.

You can also enable an account-wide public access block. This ensures that no S3 bucket in the AWS account is public.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | S3 bucket contents should only be accessible by authorized principals".

References

Using bucket policies

aws documentation

Leaky buckets in 2022

aws documentation

Blocking public access to your S3 storage

aws documentation

Did you find this article helpful?

Related Vulnerabilities and Threats

vulnerabilities Dec'23

Public S3 bucket through bucket ACL

vulnerabilities Dec'23

Public Azure Storage container

work with us

We're always looking for talented people to collaborate with

featured positions

We have 13 positions

view all