Not Amazon's fault buckets are exposed, but the loaded shotgun and your foot are all there ready and waiting
Amazon wants you to know that it's not to blame for the data you've exposed though its cloud storage service. AWS Simple Storage Service (S3) is, after all, simple.
No doubt you tried to keep your data secure. But let's face it, in the sixteen years S3 has been available, the cloud-based data storage service hasn't been simple enough to help unwitting users steer clear of unsafe settings.
Amazon, of course, wants you to know that it wants only the best for your data. "S3 buckets are and always have been private by default," the company reminded its customers in a post on Tuesday. "Only the bucket owner can access the bucket or choose to grant access to other users."
Alas, S3 bucket owners deliberately or otherwise have been granting more online access than perhaps is advisable and the result has been an ongoing cluster-fsck. As IBM Security X-Force noted in its 2021 Cloud Security Landscape Report [PDF], "When examining cloud-based cases, X-Force IR frequently identified unsecured resources unintentionally exposed to the Internet, such as misconfigured object storage services, as a major contributor to observed breaches."
Rewind to 2018 – to pick one year among many – and S3 data exposures surfaced so frequently we got tired of writing about them.
There was this story in December 2017, two more in February 2018, another two in April 2018, another bucket exposure in May, in June, July, August, and October, until AWS could no longer stomach customer floundering.
In November 2018, AWS added more security controls to the service it maintains has always been private by default.
"We want to make sure that you use public buckets and objects as needed, while giving you tools to make sure that you don’t make them publicly accessible due to a simple mistake or misunderstanding," the company explained as it introduced Amazon S3 Block Public Access, a way to block public access to S3 buckets through the S3 management console.
Simple Storage Service received another dose of simplicity in November 2021. That's when AWS announced "a couple new features that simplify access management for data stored in Amazon Simple Storage Service (Amazon S3)."
Basically, AWS in 2011 rolled out AWS Identity and Access Management (IAM), to set policies defining permissions and control access to buckets and objects in Amazon S3. The result was too many ways to control S3 bucket access: IAM policies, S3 bucket policies, S3 Access Point policies, S3 Block Public Access, and ACLs (access control lists).
The solution AWS introduced last year was an Amazon S3 Object Ownership setting called Bucket owner enforced that allows S3 users to disable all of the ACLs associated with a bucket and the objects in it. Amazon explained at the time, "This simplifies access management for data stored in Amazon S3" – which, allow us to remind you, stands for Simple Storage Service.
And just how much would you pay for this absolutely not complicated cloud storage service? Wait, don't answer yet. Come April 2023, the simplicity of Simple Storage Service will be simpler still.
"Starting in April 2023, Amazon S3 will introduce two new default bucket security settings by automatically enabling S3 Block Public Access and disabling S3 access control lists (ACLs) for all new S3 buckets," Amazon said in its post.
What this means is it won't be simple to create an S3 storage bucket with public access by accident. You'll have to deliberately delete the public access block – the setting preventing public access to S3 data – by calling DeletePublicAccessBlock.
The gauntlet has been thrown and you may fire your footgun at will.
These security-best-practice defaults – already in place for buckets created via the S3 management console – will soon apply to all new buckets, whether they've been created via the AWS command line interface, APIs, SDKs, or AWS CloudFormation. And they will be applied in all AWS Regions, including the AWS GovCloud Regions and the AWS China Regions.
So there you have it: Security from self-inflicted misconfiguration by default. And to think, it only took sixteen years.
Comments