Amazon S3

S3 Bucket Insecure Write Access

This plugin ensures S3 buckets do not allow write-access to outside users.

Risk Level: High

Description:

This plugin ensures S3 buckets do not allow write-access to outside users. Under this vulnerability, an outsider may be able to add objects, modify objects and update permissions for the affected bucket. Note that this plugin parses Block Public Access configuration for each bucket and for the account in order to prevent false positives.

About the Service :

Amazon S3 is an object storage service with industry-leading scalability, data availability, security, and performance. Amazon S3 allows customers of all sizes and sectors to store and safeguard any amount of data for a variety of use cases, including data lakes, websites, mobile applications, backup and restore, archive, business applications, IoT devices, and big data analytics.

Impact:

To safeguard your S3 data from unauthorized users, make sure your AWS S3 buckets can't be publicly accessible for WRITE actions through S3 access control lists (ACLs). An S3 bucket that permits everyone (i.e. anonymous users) to WRITE (UPLOAD/DELETE) access can give attackers the ability to add, delete, and alter objects within the bucket, resulting in S3 data loss or unexpected AWS charges.

Steps to reproduce :

  1. Sign in to the AWS Management Console.
  2. Navigate to the S3 dashboard at: https://console.aws.amazon.com/s3/
  3. Select the S3 bucket you want to examine and click on the Properties tab.
  4.  Check the Access Control List (ACL) configuration for any grantee called "Everyone" in the Properties panel's Permissions tab.
  5. If the "Everyone" predefined group has the Upload/Delete (WRITE) rights enabled in the bucket ACL setup, the selected S3 bucket is rendered insecure because it is publicly accessible for uncontrolled content updates.
  6. Repeat steps no. 3 - 5 for each S3 bucket that you want to examine, available in your AWS account.

Steps for remediation :

Disable read and write permissions from bucket ACL for both: 'Everyone' and 'Authenticated users group.

  1. Sign in to the AWS Management Console.
  2. Navigate to the S3 dashboard at: https://console.aws.amazon.com/s3/
  3. Select the S3 bucket you want to examine and click on the Properties tab.
  4. Click Permissions to expand the bucket Access Control List (ACL) configuration tab and look for the grantee (predefined group) labeled "Everyone" in the Properties panel.
  5. Check the Upload/Delete (WRITE) permission for "Everyone" and uncheck it.
  6. Click Save to apply the new ACL configuration and remove the bucket public WRITE access.
  7. Repeat steps no. 3 - 6 for each S3 bucket that you want to examine, available in your AWS account.

References: