Who Can Access an Public S3 Bucket in AWS and How to Secure It

A public S3 bucket in AWS is open to anyone with an internet connection.

Anyone can access a public S3 bucket by entering its URL in a web browser, no authentication required. This means that anyone, including hackers and malicious actors, can access your data.

To access a public S3 bucket, you don't need to know the bucket's owner or any other credentials.

This lack of access control is a major security risk, as sensitive data can be exposed to unauthorized parties.

A public S3 bucket can be accessed by anyone, even if they don't have an AWS account.

A public S3 bucket is like an open door, inviting anyone to come in and access its contents. This can be a major security risk, as sensitive data can be exposed to unauthorized users.

There are four new settings on all S3 buckets that can help protect against public access: Block new public ACLs and uploading public objects, Remove public access granted through public ACLs, Block new public bucket policies, and Block public and cross-account access to buckets that have public policies.

These settings are defaulted to true on new buckets, but existing buckets are unaffected, which means you need to manually enable them to prevent public access.

A public access policy is a way to block public access to a bucket and its contents, giving administrators tools to protect against both object ACL errors and bucket policy errors. This is the first time it has been possible to definitively block public access to a bucket and all of its contents.

To make content publicly accessible, bucket policies are the preferred way, especially if you have no need for object-level fine-grained control. However, you should still enable all four settings to prevent public access.

Here are the four settings that can help protect against public access:

By understanding how public S3 bucket access works, you can take steps to protect your sensitive data and prevent unauthorized access.

An S3 bucket can have various types of permissions, including public read-only, public read-write, and private. The S3 bucket permission model allows you to make a bucket public by applying a canned policy, such as public-read.

To configure permissions, you need to configure a statement, which includes elements like Sid, Effect, Principal, Action, and Resource. These elements must be carefully configured to ensure the right level of access.

To grant permissions, you need to specify the allowed or denied actions and associate them with the right users or user groups. This can be done using bucket policies, which involve specifying the actions and the users or groups that can perform them.

Here is a list of common S3 permissions and their associated actions:

The easiest way to set up a public bucket is to use the canned policy public-read on the bucket. However, it's essential to monitor access and detect anomalies to prevent unauthorized access.

Object-level ACLs exist in Amazon S3 because it was originally designed to store public content, such as images and product data. This is still one of its most common uses, and public ACLs allow that to happen.

However, object-level ACLs can exist on both the bucket and object level, and they take precedence over IAM and bucket policies. This can lead to a situation where authenticated users have less access to data in S3 than anonymous users on the Internet.

Object-level ACLs are "hidden" attributes that can be applied to any object at upload time to allow public access. This can be difficult to track, especially when dealing with millions of records.

As a result, object-level ACLs can be effectively useless and ignored for most internal uses of S3, which are primarily governed by bucket policy and IAM policy.

An Access Control List (ACL) is a list of permissions that defines who can access a bucket or object in S3. ACLs provide another layer of control over access to buckets and objects.

There are five permissions that can be granted: READ, READ_ACP, WRITE, WRITE_ACP, and FULL_PERMISSION.

READ, WRITE, and FULL_PERMISSION are self-explanatory and apply to every object on the bucket (and the bucket itself). READ_ACP and WRITE_ACP are related to the ACLs: with those permissions granted, an user can read and/or write the ACL (but not the objects).

A Grantee is an object who holds three or four basic pieces of information: the type of the grantee (CanonicalUser or Group), the XML XSI schema, and the ID (in case of a type CanonicalUser) or the URI (in case of a type Group). CanonicalUser types also carry a DisplayName property, not present in the Group ones.

There are three types of Grantees: AuthenticatedUsers, AllUsers, and LogDelivery.

Canned ACLs provide an easy and quick way to set up global permissions in one shot. However, one can apply specific policies to grant or deny access to specific entities.

To set up a bucket public, you can use the canned policy public-read on the bucket. By default, both via the web console and the command-line interface (CLI), the buckets are created with an ACL private.

Here are the five permissions that can be granted:

These policies go together with the entity to which they are attached, specifically the Grantee.

New AWS users often don't understand cloud business requirements or simply don't know how S3 works. This lack of knowledge can lead to misconfigured S3 buckets that open access to public access.

Misconfigurations are a leading cause of attacker entry into cloud environments. They can range from publicly accessible buckets left open to the internet to allowing anyone to upload or delete files from the bucket.

Inexperienced users may not realize the risks of misconfiguring S3 buckets. To help identify these issues, AWS made a search option available via the AWS Management Console to easily identify unprotected S3 buckets within their accounts.

Here are some common misconfigurations to watch out for:

These misconfigurations can be detected using AWS services and tools, such as the AWS Management Console search option, to help protect S3 buckets and prevent unauthorized access.

Managing permissions and access is crucial when it comes to public S3 buckets. You can use IAM policies to define S3 permissions at more granular levels, and your teams can leverage Service Control Policies (SCPs) for organization-wide guardrails around accessing S3.

To secure access, you can use both policies and ACLs. Policies are the preferred way to make content publicly accessible, and bucket policies are the recommended method for enabling public access. This is because bucket policies provide better control over write access.

There are four new settings on all S3 buckets that can help protect against public access: Block new public ACLs and uploading public objects, Remove public access granted through public ACLs, Block new public bucket policies, and Block public and cross-account access to buckets that have public policies. These settings are defaulted to true on new buckets, but existing buckets are unaffected.

To grant permissions, you can specify the allowed or denied actions and associate them with the right users or user groups. For example, to grant read access to a public group, you would include "Effect": "Allow", "Principal": "*", and actions like [s3 Get Object].

Here are some examples of common S3 permissions and their associated actions:

It's essential to regularly review permissions to ensure they align with current roles and responsibilities, and to avoid making S3 buckets public unless absolutely necessary.