Siguria e Bucket-eve S3

Fillestar 13 min Siguria në Cloud

Hyrje

S3 bucket misconfigurations have been responsible for some of the largest data leaks of the cloud era, and the fixes are mostly simple policy changes.

Teoria

Every new S3 bucket should have Public Access Block enabled at both account and bucket level. This single setting prevents any policy or ACL from making the bucket public, even accidentally. If a bucket truly needs to be public (static website, public dataset), use a CloudFront distribution in front of it with an Origin Access Control so only CloudFront can read from the bucket and your traffic still goes through WAF and edge logging. Enable S3 Server Access Logging or S3 Access Analyzer to see who is reading what. Enable encryption at rest (SSE-KMS is preferred over SSE-S3 because it gives per-bucket audit and key rotation). For sensitive data, add Object Lock and Versioning so an attacker or insider who gains write access cannot destroy historical data silently. Regular scans with tools like cloudsplaining, Prowler and Steampipe catch the remaining misconfigurations. On the detection side, GuardDuty has S3-specific rules that alert when a bucket is discovered (public-read detected), when an anonymous user accesses data, or when credentials are used from a Tor exit node. These alerts tie directly into incident response playbooks: confirm the activity, revoke credentials, disable public access, notify affected customers if data was exposed.

Mjetet

Mjete:

  • Block Public Access (account-level).
  • S3 Object Lock, versioning, MFA Delete.
  • Macie — klasifikim i automatizuar i të dhënave.

Praktika

Politikë bucket që lejon vetëm akses privat nga një VPC endpoint:

{
  "Statement": [{
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": ["arn:aws:s3:::secret-bucket/*"],
    "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-12345" } }
  }]
}

Skan publike:

aws s3api list-buckets --query "Buckets[].Name" --output text | \
  xargs -n1 -I{} aws s3api get-bucket-acl --bucket {}

Ushtrime

  1. Aktivizo Block Public Access në një account lab.
  2. Shkruaj një lambda që alarmon kur një bucket bëhet publik.

Burime

  • AWS — S3 Security Best Practices.
  • FlAWS Challenge — flaws.cloud.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re