Explore our guide to AWS S3 Bucket Penetration Testing

Amazon S3 buckets have become a cornerstone of cloud storage for businesses worldwide. AWS services, including S3, are integral to cloud storage and security. Their scalability and cost-effectiveness make them attractive, but this popularity comes with heightened security risks.

Misconfigured S3 buckets can expose sensitive data, potentially leading to 🤯devastating breaches. This article delves into the critical world of AWS S3 bucket penetration testing, exploring methodologies, tools, and best practices to fortify your cloud storage defences.

Risks associated with AWS S3 bucket security

Several security risks can arise from misconfigured S3 buckets. Here are some common ones:

Unfettered Access permissions

Misconfigured S3 bucket permissions can lead to unauthorised access, allowing anyone online to read or modify data. This can result in unauthorised disclosure of sensitive information, data tampering, or injection of malicious content, posing significant security risks such as data breaches and system compromise.

Semi-public S3 (simple storage service) bucket access

An S3 bucket configured for “authenticated users” might appear secure but poses a risk. Any user with a valid AWS access key, including an access key ID and secret access key, can access the bucket. This is akin to a party where anyone with minimal credentials can gain entry, potentially leading to unauthorised access and data exposure.

Unencrypted data

Data stored in S3 can be encrypted at rest and in transit. If someone gains access to the bucket, leaving data unencrypted makes it vulnerable to unauthorised access.

Misconfigured Bucket Lifecycle Rules

Bucket lifecycle rules automate actions on objects within the bucket, such as transitioning them to different storage classes or deleting them after a set time. Misconfigured rules could lead to accidental data deletion or exposure.

Improper IAM Permissions

IAM (Identity and Access Management) is a core AWS service for managing user access. Inadvertently granting excessive permissions to IAM users or roles could allow them to access or modify S3 buckets beyond their intended purpose. Granting permissions to individual AWS accounts is crucial to avoid excessive permissions.

Open Directory Listing

By default, S3 buckets don’t display a directory listing of their contents. However, misconfigurations can enable directory listing, revealing information about the objects stored in the bucket and potentially leading to further attacks.

The Importance of AWS S3 Bucket Pentesting

Penetration testing is a simulated cyberattack designed to identify system security weaknesses. AWS penetration testing is permitted under specific guidelines outlined by AWS. Pentesting an S3 bucket helps uncover misconfigurations and potential vulnerabilities that real attackers could exploit. Anything related to source code linked to Lambda functions, or outside the scope isn’t included in the S3 bucket pentesting methodology.

How do we perform S3 bucket penetration testing?

Pentesting an S3 bucket involves a systematic approach. Here’s a simplified breakdown of the process:

Step 1: Reconnaissance

The first step is gathering information about the target S3 bucket and AWS account. Checks may include root account MFA enforcement, access key id and secret access key access policies, granted access provision checks and related information recon. This might involve using tools and techniques like:

• Enumeration: Identifying the bucket name itself can be a starting point. Tools can help search for potential bucket names based on the target organisation’s domain name.
• Virtual Hosted Style vs. Path Style Access: S3 offers two addressing models for accessing buckets. Identifying the style used helps with crafting test requests.

Step 2: Access Checks

With the bucket name in hand, the pentester attempts to access the bucket. This could involve:

• Checking for Public Access: Tools can be used to confirm if the bucket allows anonymous users to list or access objects.
• Validating Access Keys: If the bucket requires authentication, a pentester might attempt to gain access using publicly leaked AWS credentials (which is illegal and unethical and should never be done outside a controlled pen-test environment).

Step 3: Analysing or Identifying Improper ACL Permissions

Assuming access is obtained, the pentester will delve deeper to understand the access control list:

• ACL Analysis: ACLs define which AWS accounts or groups can access a specific bucket and manage access to buckets and objects. This can expose improper ACL permissions like “world readable” settings.
• Bucket Policy Review: S3 buckets have policies defining access permissions for the bucket itself and its objects. Bucket policies define a more granular access control than access control lists (corresponding ACL). Analysing the bucket policy helps identify potential weaknesses in the access control list.

Step 4: Exploitation

Once the necessary access permissions and policies have been analysed, the next step is to attempt exploitation based on identified weaknesses. It is crucial to apply bucket policies to both the bucket and the objects inside them to ensure comprehensive security.

Uploading Malicious Files

• If the bucket allows file uploads, attempt to upload files with executable code to see if they can be run from the bucket.
• Check for the ability to overwrite existing files, which could lead to data integrity issues.

Data Extraction

• If the bucket is publicly accessible, try listing its contents and downloading any sensitive data.
• Use tools to automate downloading large amounts of data if necessary.

Step 5: Reporting

The final step involves documenting the findings and recommended mitigations.

Detailed Documentation

• Document each step taken during the penetration test, including tools used and results obtained.
• Include screenshots and logs to provide evidence of findings.

Risk Assessment

• Assess and categorise the risks identified based on their potential impact and likelihood of exploitation.
• Provide a severity rating for each vulnerability (e.g., low, medium, high, critical).

Tools used for AWS S3 penetration testing

Several tools can be used to pen-test AWS S3 buckets, offering varying levels of automation and functionality. Here are some popular options:

AWS CLI (Command Line Interface)

The official AWS Command Line Interface provides a powerful and scriptable way to interact with S3 buckets. Tools like aws s3 ls can list buckets and their contents (if publicly accessible).

Third-party Penetration Testing Frameworks

Many security frameworks offer modules specifically designed for testing S3 buckets. These tools can automate tasks like enumeration, access checks, and permission analysis and provide detailed reports on vulnerabilities discovered.

Some Examples of Third-party Tools

• Kali Linux Tools: Kali Linux, a popular distribution for security professionals, offers tools like s3scanner and s3enum for discovering and analysing S3 buckets.
• CloudScraper: This tool can enumerate an organisation’s cloud resources, including S3 buckets, offering a broader view of their security posture.
• AWS Inspector: While not strictly a pen-testing tool, AWS Inspector can identify potential security issues within your AWS environment, including misconfigurations in S3 buckets.
• S3Scanner -It scans for open or publicly accessible S3 buckets and extracts their contents.
• s3inspector – This tool can be used to verify AWS S3 bucket permissions.
• lazys3 is a ruby-based script to brute-force AWS S3 buckets using various permutations.

Best practices to secure AWS S3 buckets

Following the principle of least privilege is a crucial first step, but here are additional best practices to further secure your S3 buckets:

Enforce the Principle of Least Privilege

Grant minimal permissions necessary for users and applications to perform their tasks. For legacy permissions, older S3 buckets may have outdated permissions that don’t align with current security best practices. Regularly review and update these settings.

Enable Default Encryption

Use AWS-managed keys (SSE-S3) or AWS KMS keys (SSE-KMS) to encrypt data at rest.

Implement Strict Bucket Policies

Use IAM policies and bucket policies to control access precisely.

Enable Versioning and Access Logging

Maintain object version history and track all access attempts for auditing purposes.

Rotate AWS Access Keys Regularly

Implement a process for rotating AWS access keys to minimise the impact of potential credential compromise.

Use VPC Endpoints

When possible, use VPC endpoints to access S3 buckets without exposing traffic to the public internet.

Implement Multi-Factor Authentication (MFA) Delete

Additional authentication is required for deleting objects, adding an extra layer of protection against accidental or malicious deletions.

Conduct Regular Security Audits

Schedule periodic penetration tests and security assessments to identify and address new vulnerabilities.

Advanced S3 Bucket Security Considerations

As you refine your S3 bucket security strategy, consider these advanced techniques:

1. Object-Level Logging: Enable AWS CloudTrail data events for S3 to log all object-level API activity, providing granular visibility into bucket access and modifications.
2. Cross-Region Replication: Implement cross-region replication for critical data to enhance disaster recovery capabilities and ensure data availability.
3. S3 Object Lock: For sensitive or regulatory data, use S3 Object Lock to prevent object deletion or overwriting for a specified retention period.
4. Intelligent-Tiering: Leverage S3 Intelligent-Tiering to automatically move data between access tiers based on usage patterns, optimising performance and cost.
5. Access Points: Utilise S3 Access Points to simplify managing access for applications with shared datasets, creating unique hostnames and access policies for each access point.
6. S3 Batch Operations: For large-scale changes or security updates, use S3 Batch Operations to perform actions across numerous S3 objects with a single request.

Conclusion

AWS S3 buckets offer unparalleled storage capabilities, but their security requires vigilance and expertise. Regular penetration testing is crucial for identifying vulnerabilities before malicious actors can exploit them. By understanding the risks, employing robust testing methodologies, and implementing best practices, organisations can significantly enhance their S3 bucket security posture.

Schedule your AWS S3 pentest today with Cyphere and shape your security strategy for the future. You can also book a call with our team to discuss your security concerns during a free consultation call.