Hyrje
S3 bucket misconfigurations have been responsible for some of the largest data leaks of the cloud era, and the fixes are mostly simple policy changes.
Teoria
Every new S3 bucket should have Public Access Block enabled at both account and bucket level. This single setting prevents any policy or ACL from making the bucket public, even accidentally. If a bucket truly needs to be public (static website, public dataset), use a CloudFront distribution in front of it with an Origin Access Control so only CloudFront can read from the bucket and your traffic still goes through WAF and edge logging.
Enable S3 Server Access Logging or S3 Access Analyzer to see who is reading what. Enable encryption at rest (SSE-KMS is preferred over SSE-S3 because it gives per-bucket audit and key rotation). For sensitive data, add Object Lock and Versioning so an attacker or insider who gains write access cannot destroy historical data silently. Regular scans with tools like cloudsplaining, Prowler and Steampipe catch the remaining misconfigurations.
On the detection side, GuardDuty has S3-specific rules that alert when a bucket is discovered (public-read detected), when an anonymous user accesses data, or when credentials are used from a Tor exit node. These alerts tie directly into incident response playbooks: confirm the activity, revoke credentials, disable public access, notify affected customers if data was exposed.
Mjetet
Mjete:
- Block Public Access (account-level).
- S3 Object Lock, versioning, MFA Delete.
- Macie — klasifikim i automatizuar i të dhënave.
Praktika
Politikë bucket që lejon vetëm akses privat nga një VPC endpoint:
{
"Statement": [{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::secret-bucket/*"],
"Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-12345" } }
}]
}Skan publike:
aws s3api list-buckets --query "Buckets[].Name" --output text | \
xargs -n1 -I{} aws s3api get-bucket-acl --bucket {} Ushtrime
- Aktivizo Block Public Access në një account lab.
- Shkruaj një lambda që alarmon kur një bucket bëhet publik.
Burime
- AWS — S3 Security Best Practices.
- FlAWS Challenge — flaws.cloud.
Vlerësimet dhe komentet
Kyçu për të lënë një vlerësim.
Ende pa komente. Bëhu i pari!
Diskutime
Ende pa diskutime. Hap një temë të re