AWS
Security
S3 Security Settings for Enabling S3 Block Public Access and Disabling ACLs
Overview #
AWS recently published a blog regarding upcoming S3 security changes coming in April 2023 that will impact users of the CloudQuery AWS integration.
Update: As of April 5th, 2023, this change is now in effect for all new buckets by default. See AWS's post here.
This update has 2 distinct changes in effect. Once the changes are in effect for a target Region, all newly created buckets in that region will have:
- S3 Block Public Access enabled by default.
- This includes all 4 Block Public Access Settings.
- Access Control Lists (ACLs) disabled by default.
- The Bucket owner enforced setting is on. With this setting, ACLs are disabled and no longer affect access permissions to the bucket. Requests to set or update ACLs will fail, but requests to read ACLs are supported.
This behavior is already default for console and will be default for buckets created by non-Console options including the S3 API, S3 CLI, AWS SDKs, or AWS CloudFormation.
AWS recommends a deliberate and thoughtful approach to creating new buckets that rely on public buckets or ACLs. We additionally recommend for customers to standardize existing buckets and settings if possible to enforce S3 Block Public Access on all buckets that do not need to be public and to disable ACLs and utilize IAM as a standard method of managing access to S3.
Finding Disabled Block Public Access and Enabled ACLs #
S3 Block Public Access #
S3 Bucket Block Public Access Settings
CloudQuery tables: aws_s3_buckets
There are 4 different components for S3 Block Public Access Settings:
- Block public access to buckets and objects granted through new access control lists (ACLs)
- Block public access to buckets and objects granted through any access control lists (ACLs)
- Block public access to buckets and objects granted through new public bucket policies
- Block public and cross-account access to buckets and objects through any public bucket policies
The below query will check for any S3 bucket where 1 or more of those 4 components are set to false (and thus where block public access is not fully enabled).
SELECT *
FROM aws_s3_buckets
where block_public_acls is false
or block_public_policy is false
or ignore_public_acls is false
or restrict_public_buckets is false;
Account Level Block Public Access Settings
CloudQuery tables: aws_s3_accounts
Block Public Access can also be set at the Account level, which we recommend as an additional layer of security if the S3 buckets in the account do not need to be public.
To check for this setting on accounts in CloudQuery, we can use the following query:
SELECT *
FROM aws_s3_accounts
WHERE block_public_acls is false
or block_public_policy is false
or ignore_public_acls is false
or restrict_public_buckets is false;
S3 Access Control Lists (ACLs) #
Object Ownership Settings
CloudQuery tables: aws_s3_buckets and aws_s3_bucket_grants
There are 3 different settings for object ownership:
- Bucket owner enforced (ACLs disabled)
- Bucket owner preferred (ACLs enabled)
- Object writer (ACLs enabled)
To check for buckets with enabled ACLs (without disabled ACLs), we will look for bucket owner preferred, object writer settings, and empty values for object ownership. The empty values for object ownership currently correlate to object writer.
SELECT *
FROM aws_s3_buckets
WHERE ownership_controls &&'{"BucketOwnerPreferred", "ObjectWriter"}'
or ownership_controls is NULL;
Note: Buckets created via Console with ObjectWriter Object Ownership Settings and Buckets created via CLI without the Object Ownership option specified will result in an empty Object Ownership
ownership_controls
field. This seems to be a default setting and we're following up with AWS on this discrepancy.aws s3api create-bucket --bucket test-json-bucket --profile myprofile --region us-east-1
{
"Location": "/test-json-bucket"
}
aws s3api get-bucket-ownership-controls --bucket test-json-bucket --profile myprofile
An error occurred (OwnershipControlsNotFoundError) when calling the GetBucketOwnershipControls operation: The bucket ownership controls were not found
S3 Grants (ACLs)
To look for grants within resource ACLs that are associated with S3 buckets with enabled ACLs (without disabled ACLs), we will cross reference our S3 buckets from the above query with S3 grants.
SELECT *
FROM aws_s3_bucket_grants
LEFT JOIN aws_s3_buckets
on aws_s3_bucket_grants.bucket_arn = aws_s3_buckets.arn
WHERE ownership_controls && '{"BucketOwnerPreferred", "ObjectWriter"}'
or ownership_controls is NULL;
Ready to get started with CloudQuery? You can try out CloudQuery locally with our quick start guide or explore the CloudQuery Platform (currently in beta) for a more scalable solution.
Want help getting started? Join the CloudQuery community to connect with other users and experts, or message our team directly here if you have any questions.
If you have comments or questions about S3 security or using CloudQuery, we would love to hear from you! Reach out to us on GitHub or our Community!
References #
Written by Jason Kao
Jason worked as Head of Security Research and Solutions at CloudQuery and was a Senior Data Engineer prior to taking on that role. He focused on multi-cloud environments and has particular expertise on AWS.