Deception to Secure Amazon S3 Buckets

 

Deception to Secure Amazon S3 Buckets

Written by: Joseph Salazar, Technical Deception Engineer – Amazon Simple Storage Service (S3 buckets) provides the ability to store and serve static content from Amazon’s cloud. Businesses use S3 to store server backups, company documents, weblogs, and publicly visible content such as web site images and PDF downloads.  Users organize files within S3 into “buckets,” which get assigned a URL based on a standard, predictable pattern for access to them.

S3 bucket access is an avenue that attackers often target if the number of successful S3 breachers is any indication.  However, deception technology provides ways for an organization using Amazon S3 to protect the data stored within the service as well as the storage buckets themselves.  The Attivo Networks ThreatDefend® platform provides deception for native cloud technologies such as storage buckets and Lambda functions and extends deception to all levels of the organization.

When the topic of S3 bucket security comes up, most people unsurprisingly think of restricting public access to prevent data leakage, since the past few years have seen breaches directly caused by improper S3 bucket permissions.  If a bucket access permission is “public,” and the account holder has not set up any access controls, anyone with an Amazon Web Services (AWS) account can read or write content to them.  By default, all newly created S3 buckets default to private access, but organizations can change this permission.

In November of 2018, Amazon added an option to block all public access to every S3 bucket in an account globally and provides a guide on how to secure S3 buckets.  While this is a step in the right direction, many accounts still contain misconfigured S3 buckets and attackers take advantage of these misconfigurations for unauthorized access to data.

A compounding issue to S3 bucket security is that many AWS services and APIs can access S3 buckets programmatically.  Amazon provides an S3 API for scripts to access the buckets directly from code.  An attacker can copy these scripts and leverage them for access.  A bucket with an open upload policy could enable attackers to upload a custom Javascript library that allows them to serve malicious Javascript to all applications users.  These scripts can pull access key information from the environmental variables on the local system, giving attackers access to AWS.

Organizations also provide third-party vendors access to their S3 buckets for business reasons, and a breach in one of these partners can result in a compromise of S3 security. Finally, organizations with many users can accidentally over-provision accounts with S3 access permissions.  Assigning granular access policies becomes complex with access permissions across AWS accounts, multiple AWS services, and 3rdparty vendors.  This situation can lead to misconfigurations and over-provisioning of access permissions that attackers can exploit.

Users of the Attivo Networks ThreatDefend platform can deploy deception around S3 buckets to detect intruders accessing and exfiltrating data from them.  Whether it is a decoy running in the cloud or decoy AWS access keys, the deception environment can identify attackers attempting to spread to S3 buckets.

Customers can also create decoy S3 buckets from the Attivo Networks platform.  These S3 buckets have no production value, so any access generates an alert.  When the attacker executes a “list-buckets” command, for example, decoy S3 buckets would appear in the resulting list.  Should the attacker attempt to access these decoy S3 buckets, they immediately reveal their presence.

Attackers can also sync data and exfiltrate customer S3 buckets to their own, bypassing traditional security solutions. The Attivo Networks ThreatDefend platform monitors for this access and detects any activity on decoy S3 buckets, alerting administrators to the event. The platform also supports whitelisting, so administrators or valid users accessing these buckets will not trigger an alert, reducing false positives.  With the other deception capabilities the platform provides, organizations can deploy a detection fabric that covers every part of their network, gaining internal visibility while increasing defenses.

While this blog focuses on S3 buckets, the ThreatDefend platform contains many other cloud-specific deception capabilities to help defend an organization’s public, private, or hybrid cloud. To gain a more thorough understanding of these cloud deception capabilities, please visit www.attivonetworks.com/cloud.

No Comments

Post A Comment

one × three =