0

I've received email from aws which says my aws s3 buckets are configured to allow read access to anyone on internet and have asked me to review the ACL and secure it. Basically my s3 buckets are being used as backend for cloudfront distribution. Below are my s3 buckets which are having the same ACL applied on them with same policy.

media-example-com
font-example-com
blog-example-com
app-assets-example-com

Common policy is as below applied on all the buckets. 

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket-name>-example-com/*"
        }
    ]
}

And below is ACL screenshot which is common to all those buckets.

enter image description here

I don't understand what exactly aws support means when it says those buckets are configured to allow read access from internet. When in screenshot its clear that read access is not allowed.

Shailesh Sutar
  • 1,517
  • 5
  • 23
  • 41
  • Your bucket policy allows that, not the ACL. It's odd that they would send an email about it as it's a common configuration, even recommended for static website hosting on S3. – jordanm Jul 21 '17 at 15:27
  • That means its pretty common configuration. Right? And there is nothing that I should be worrying about since it's all working as cloudfront distribution backend. – Shailesh Sutar Jul 21 '17 at 15:40
  • Yes, it's common and I wouldn't worry unless maybe you misinterpreted the email they sent. You can configure things so that those objects can only be accessed via Cloudfront, but even the docs on that refer to your configuration as common: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html – jordanm Jul 21 '17 at 15:42

1 Answers1

0

The email seems to be in response to several recent breaches where people have uploaded sensitive information to S3 in a publicly accessible bucket. It is just to nudge you to have a look at your buckets and see if they are appropriately configured.

While i dont have practical experience running a website via S3, i did tried to explore this and found that each object in S3 has its own ACL and you define it when the files are uploaded to S3 and that is what really defines if the file can be publicly accessed over internet.

When you mark an S3 bucket with read-privilege, anybody can list files in your bucket, so if you accidentally upload a sensitive document in your S3 bucket, people can find it and download it.

It would be safer to remove read privileges from bucket and have them at object level. That way objects are still accessible if you have a direct link embedded in a web-page, etc., but no-body can list files in your S3 and any accidental uploads are not easy to find.

Most tutorial/guides might have asked to provide read privilege for S3 bucket due to some historical reason or just simplicity, but that doesnt make it the right option when security is concerned.

In your specific case, since you just allow GetObject, not List* in the policy, your bucket are already in good shape.

dy10
  • 41
  • 5