Securing Publicly Exposed AWS S3 Buckets with Auto-remediation

Amazon S3 storage is incredibly flexible and easy to use, but securing S3 has proven difficult for many organizations. Breaches related to S3 buckets are frighteningly common, exposing sensitive information and causing brand and financial damage. You won’t have to look far to find stories of S3-related data breaches caused by misconfiguration, where S3 security settings were left set to “public.” Since 2017, there has been an overwhelming number of sensitive data disclosure scenarios and breaches involving misconfigured and publicly available Amazon S3 buckets. As data and resources are created, deployed, and modified quickly in AWS S3 storage, cloud security teams must address security issues quickly and effectively.

AWS S3 storage security concerns

AWS S3 storage enables organizations to store massive datasets on a secure platform. Configuration mistakes keep happening because cloud security management at scale is complex. Infrastructure as Code tools (e.g. Terraform) allows a single misconfiguration to impact hundreds—if not thousands—of assets with a single line of code. Every bucket maintains its security. New S3 buckets can be created in seconds, hence the need for constant monitoring—which means continuous assessment and remediation for policy violations. Also, S3 buckets are not centrally “secured.” The configuration complexity coupled with the flexibility of bucket policies to modify configurations offered by S3 bucket security can lead to mistakes. Moreover, S3 supports both read and write permissions.

Cloud storage security shared responsibility model

While AWS provides reliable security, it does not cover the entire extent of security needed. Customers and users are also expected to shoulder the responsibility to secure their information within the cloud by closing data security loops.

AWS S3 storage is categorized as Infrastructure as a Service (IaaS) and AWS clearly states that organizations are responsible for the security configurations (i.e., implement appropriate access control policies) with control and management tasks. Organizations may have hundreds of S3 buckets, but they are responsible for ensuring that S3 buckets are secured, monitored, and not publicly accessible.

The risk of a data breach due to misconfiguration

AWS S3 promises high levels of security, when understood and configured properly. Unfortunately, many organizations don’t have the necessary resources and skills needed to build and maintain highly secured AWS environments.

AWS S3 leaks have reappeared in headlines time and time again. Some notable S3 bucket-related breaches in the past include FedEx, Verizon, and Dow Jones. Such breaches were avoidable because AWS S3 is designed to be highly secure if configured properly. AWS buckets are private by default, but that hasn't stopped a series of high-profile data breaches due to misconfiguration. Attackers are automating the discovery of public AWS S3 buckets and exfiltrating data while most cloud teams still rely on slow, manual processes to address the problem. The risk and complexity increase when an organization uses multi-cloud platform storage services like Microsoft Azure and Google Cloud Platform.

The probable impact of AWS S3 bucket misconfiguration

By having a public bucket, organizations no longer have control over who can or can’t access their data, anyone who finds the link can access the data without using any additional hacking techniques. This can lead to a data breach. A misconfigured bucket allowing public write access can have cost implications as it can be used to serve or control malware, damage a website hosted in S3, store any amount of data at the organization’s expense, and even delete or encrypt files to demand a ransom or make data stored in S3 buckets completely unusable. Malicious parties may access the S3 buckets to download and manipulate confidential data such as certificate keys, application shell scripts, and encrypted files with privileged credentials. 

Why auto-remediation is important

Speed, security, resilience, and efficiency are top priorities for every business today. Automation is one key to achieving these goals. No matter how good CSPM coverage is or how real-time alerting is, security teams’ ability and timeframe to address AWS S3 misconfigurations are always more important. Manual processes are not repeatable, scalable, or auditable and can be prone to human errors. Hence, it’s better to automate the entire data protection process, so that security teams can rest assured that whenever the problem of risk arises it will be fixed immediately and effectively.

Identify and prevent S3 bucket exposure with auto-remediation

Auto-remediation can detect several security incidents related to S3 storage in real-time. It handles the necessary security fixes in an automated way, without manual assistance or interference. It can also minimize the average time to resolution for security teams, where common misconfigurations can be resolved in just one click–or automatically whenever they are detected–to improve overall AWS posture and compliance.

Automatic remediation can also be used to immediately make an S3 bucket private if an event has caused it to become public. This allows security, infrastructure, and DevSecOps teams to focus on more valuable business-aligned workloads, knowing the effective guardrails are in place.

Benefits of auto-remediation

• Comprehensive S3 storage security – Policy violations and misconfigurations are addressed immediately upon discovery, preventing bad actors from capitalizing on issues.
• Minimized resolution time – The remediation actions are performed automatically, allowing security teams to work on higher value-add tasks and saving significant time and resources.
• Consistency – Organizations can be sure that the prescribed procedures and workflows are always being followed.
• Continuous compliance assurance – Real-time corrections serve as proof for audit purposes to maintain cloud environment compliance. 

Exceptions

Auto remediation is a good way to enforce cloud governance policies but automatic remediation of some security issues isn’t always appropriate. The security team can follow a manual or expert-guided remediation process. Sometimes, it’s better for the CSPM tool to simply discover the issue and raise an alert to allow concerned team members or relevant stakeholders to decide how to resolve or remediate the issue based on the industry, compliance, and audit requirements.

Bottom line:

Cloud storage services such as AWS S3 are powerful, but they also present serious security risks in cases of misconfigured settings. Accidental or intended changes to the S3 storage configurations can leave organizations exposed to automated hacker searches looking to exploit sensitive data. Auto-remediation can take pressure off security teams to find and fix a wide variety of AWS S3 misconfigurations to help keep their organizations’ data safe. Organizations can leverage solutions like workload posture that help discover, prioritize, and auto remediates security risks in AWS S3 storage.

Watch the video where Max Shirshov, Cloud Security Sales Specialist at Zscaler demonstrates workload posture capabilities to identify and auto-remediate AWS S3 storage with public read/write access.

If you’d like an audit of the security configurations of your AWS S3 buckets, you can register here for our free assessment.