S3 Bucket Security

When I first started with AWS, I wasn’t concerned with bucket policies, IAM policies and roles. I was just excited to explore AWS and immediately set up backups of my personal computer to S3.

Two years later, I needed a document from my S3 bucket. I pasted the URL into the browser and it loaded straight away. Wait – I shouldn’t be able to access that!

My S3 bucket with passport scans, medical information, driver’s license scans and more had been publicly accessible for years. I locked it down immediately.

This incident made me curious about how many other S3 buckets might have improper permissions. A script was created that:

Loads a dictionary file with an English wordlist
Loops through each word greater than 3 letters (minimum bucket length)
Checks if that bucket name exists
If it exists, attempts to list objects and download a file

The error checking distinguishes between non-existent buckets and buckets in different regions.

The results were staggering – many buckets are publicly accessible, containing not just static assets but personal and business files. The script was about 40 lines of code.

This was a serious wake-up call. Check your bucket permissions.

Posts

Easy-Kubernetes-Nginx-Ingress-Custom-Error-Pages.md

Kubernetes:-A-single-OAuth2-proxy-for-multiple-ingresses.md

Validating-an-ACM-certificate-with-CloudFormation.md

Migrating-to-a-DynamoDB-encrypted-table.md

Lambda@Edge-for-custom-HTTP-headers.md

Jenkins-Scripted-Pipeline-GitHub-Pull-Requests.md

DynamoDB-to-S3-Data-Pipeline-Permissions.md

Consul-Import/Export-or-Backup/Restore.md

Cloning-a-SQL-Server-RDS-Database.md

A-short-post-on-RDS-SQL-Server-S3.md

CloudFormation-Custom-Resources.md

Autoscaling-Lifecycle-Hooks.md