S3 - Security

Following are some interesting security scenarios :-

Scenario I - My S3 is open

Many times S3 bucket are open to world and allows un-authorized read and write access. This was the major reason for CapitalOne breach.

In order to list objects in a S3 bucket named "test-bucket" simply either visit https://test-bucket.s3.amazonaws.com or perform the following API call.

aws s3 ls s3://test-bucket

Senario II - S3 Ransomware

We share a research done by RhinoSecurity team which is cloud's equivalent for Ransomware in S3. S3 bucket with write access can be encrypted with a KMS key which belongs to attacker's account. In this case, the owner of bucket will not be able to decrypt the content since the encrypted key doesn't belong to his account. Once the bucket has been encrypted, attacker can leave ransom.txt as a ransom note and ransom the bucket.

More details about this interesting research can be found here

Scenario III - Bucket Policy wide open

Many times users make sure to not make bucket public but a misconfigured bucket policy makes a bucket public indirectly.

For example consider the below bucket policy :-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::securitylabs-articles/*"
        }
    ]
}

This policy is a vulnerable S3 policy which indicates that Anyone on internet can download objects from my bucket securitylabs-articles .

Here the vulnerable part is the Principal field which is * which indicates that anyone on internet can download objects. Assuming there is a object called note.txt then to download the object one has to just make the below curl request

curl https://securitylabs-articles.s3.amazonaws.com/note.txt