Increasing Your Security Posture when Using Amazon S3
The course is part of these learning paths
This course has been designed to introduce you to the different security controls and methods that have been built into Amazon S3 to protect your data and enhance your overall security posture. You will learn about resource ownership, access control policies, S3 Access Points, Access Analyzer, and how to use Cross Origin Resource Sharing (CORS).
If you have any feedback relating to this course, please contact us at firstname.lastname@example.org.
- Understand resource ownership in Amazon S3
- Use policies to control access
- Scale access to shared buckets with S3 Access Points
- Use Access Analyzer to monitor access to buckets
- Learn what Cross Origin Resource Sharing (CORS) is and how to use it
This course is intended for anyone who is responsible for securing, designing, and managing Amazon S3, or who simply wants to learn more about security in Amazon S3.
To get the most out of this course, you should have a basic understanding of Amazon S3. It's also recommended that you have a solid understanding of AWS IAM policy syntax and structure.
Hello and welcome to this lecture where I'm going to be discussing how to block public access to your buckets. Over the years, we've all seen news articles of instances where organizations have left themselves exposed by leaving customer and confidential information within unprotected AWS buckets, allowing access to the general public. This has resulted in huge security breaches and has left those organizations answering difficult questions in addition to recovering from financial penalties.
As a response to these mistakes made by these organizations and the resulting repercussions, AWS has continually worked to improve the security around Amazon S3, to prevent instances such as these from happening again.
So in this lecture, we're going to be looking at the methods that can be applied to ensure that you do not follow the same steps and fail to protect your buckets from public access. When creating a new bucket in S3, there's an option that's dedicated to helping you protect your bucket from public access. And by default, you can see that there's a checkbox that's ticked, which blocks all public access.
As a result, you have to actively change this setting to allow public access. If you do need some public access to this bucket, then you can turn off the setting, and it allows you to select for additional options that can be used to filter public access.
So you can block public access to buckets and objects granted through new access controllers, block public access to buckets and objects granted through any access controllers, block public access to buckets and objects granted through new public bucket or access point policies, and block public and cross account access to buckets and objects, through any public bucket or access point policy.
This allows you to allow some public access based on certain security controls and block others. You don't have to select any or you can have a combination of the four shown. Once you've made your selection, you can review the settings on your bucket by selecting it and viewing the Permissions tab.
In this screenshot, you can see that the selected bucket has all public access blocks. However, these settings can be changed by selecting the edit button. Because all public access to this bucket is blocked, I will see a blue information notice if I were to configure the bucket policy or ACL for this bucket, as you can see here.
As a result, if I tried to allow any kind of public or cross account access for the bucket policy or ACL, then access would still not be allowed as the bucket still has the block all public access setting enabled. Let me show you what would happen if you try to update the bucket ACL and object ACL with these block all public access settings in place.
Okay, so I'm not going to be AWS management console and the S3 dashboard. Now what I want to do, is go into my S3 bucket. So I'll go into the S3 deep dive bucket, go across two permissions. Now here straightaway we can see that I have the block or public access setting on.
Now if I scroll down to the ACL settings, so here we have the bucket ACL, we can see that the everyone group currently does not have any access. Now if I wanted to try and change this, I can go across to edit, and then select list and read access for the everyone group.
Now if I scroll down, it gives me wanting to say if I grant these permissions then anyone in the world can access the objects in this bucket. So I have to confirm that via tick box as an extra level of confirmation. If I then click on save changes, I get an error. It says I don't have permissions to edit these ACL settings, with a response of access denied. And that is because we have the block all public access on. So this overrides the ACL.
Let's now take a look at the ACL of the objects. So if I select objects, I've just got one object in here a screenshot. So if I select that, and then scroll down to the ACL settings, so this is the ACL of the object. And again, we can see that the everyone group does not have access. So if I was to edit this object, ACL, it doesn't even give me the option, it's grayed out. And it says at the top here, public access is blocked, because block public access settings are turned on for this bucket.
Okay, so now what I want to do, is to go back to the settings of the bucket itself. And this time, I'm going to edit this option and allow public access. So I'm just gonna untick that and save changes. It gives me a warning to say that if I do this, then anyone can access objects in my bucket, see how to type in confirm. And now if I go down to the ACL, again, it gives me a warning to say that AWS doesn't recommend granting access to the everyone grantee, and if we go to Edit we can see that these have already been activated because we allowed public access.
But again, AWS does its best to highlight that this is a potential security risk by having these warning signs next to it as well. And again, you have to confirm that you understand the effect of these changes to apply them. If you save changes, I no longer get the error message.
So let's do the same on the object. If I select my object again, go down to the ACL settings, we can see that it has the read, you understand the effects of these changes, just save changes and that's that. So we can now see that the object is accessible by the everyone group, and also the bucket is as well. Just check those permissions again, we can see that the everyone group has the list and read.
Now what has to happen if I edit the public access settings again? So if I click on edit, and then blocked all public access, confirm those changes. And then I checked the ACL again, it has removed the access for the everyone group. So as soon as I enabled that block or public access setting, AWS updates all the settings in the bucket and the objects to remove that access.
So we can see here that's been removed from the bucket. And just for clarification, let's check out the object, have a look at the ACL there. And again, we can see it has been removed. So it's a very powerful setting to quickly remove all public access, regardless of the permissions that you've already applied.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 90+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.