Protect your data: S3

BUG! BUG! BUG!
We have seen many bugs related to AWS S3, for example, Instagram Million dollar bug, Facebook data breach, Leak of GoDaddy trade secrets, Voters database Leak. As people started using AWS, Simple Storage Service(S3) is one of the essential services used to store data, and most of the time some credentials get leaked or because of some misconfiguration in the bucket policy results to a data breach. so here are some preventive measures which can be implemented to avoid such kind of scenarios up to some extent.

AWS Simple Storage Service(S3) is used to store and retrieve any amount of data, it is a highly scalable, reliable, fast, inexpensive data storage service and because of all these features, it is highly used. Each item that we store inside the bucket is called an object. We can apply policies around the object, bucket, and account where account level policy will always have high priority.

A few days back I wrote a script, which revokes the AWS access keys after certain days of inactivity. The assets lying around that are not used and maintained are often the biggest sources of incidents as nobody is watching over them also it enforces the key rotation.

Versioning: It is like storing multiple versions of the object in the same bucket. You can use versioning to retrieve, preserve, and restore the object. Using versioning you can recover the object even if it was deleted intentionally or unintentionally. You can enable versioning by going to the properties of the bucket.

Multi-Factor Authentication (MFA): It will help you to prevent the accidental deletion of the bucket. For now, It can be only enabled from CLI.
Only the root account can enable MFA. Run the below command to enable it:
aws s3api put-bucket-versioning --bucket <yourbucket> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::<account number>:mfa/root-account-mfa-device <mfa code>".

Allow only your infrastructure IPs: A Simple bucket policy that can be applied to allow your IPs to access a particular s3 bucket in your infrastructure.

By default, all S3 bucket objects are private.

You can always set the IAM Policies for a user who can access the bucket, or control the permissions on bucket level, or set the permission for a specific object as well. Enabling encryption is just another option.

AWS Config: It is used to assess, audit, and evaluate the configuration of AWS resources, you can setup config rule against your bucket to check for the public access. It will help you to detect any public bucket as soon as possible.

Trusted Advisor: It is a tool provided by AWS for real-time guidance to provision your resources. There is one section related to AWS S3 bucket permissions which will tell you about the open-access permissions.

There are several other ways, using which you can quickly track if your bucket gets public and once it is detected. You can set lambda function to again change its visibility to private.