AWS Pentesting

Misconfigured S3 Bucket

our services

Overview

AWS S3 buckets are a widely used cloud storage service. S3 exposes two primary attack surfaces: HTTP and the S3 protocol. While most content will be accessed over HTTP, it is most important to verify bucket and object permissions via S3 itself. Below is a list of permissions which may be set on a bucket:

S3 Permission List
s3:GetBucketAcl
s3:GetBucketCORS
s3:GetLifecycleConfiguration
s3:GetBucketNotification
s3:GetBucketPolicy
s3:GetBucketTagging
s3:GetBucketWebsite
s3:PutBucketCORS
s3:PutLifecycleConfiguration
s3:PutBucketLogging
s3:PutBucketNotification
s3:PutBucketTagging
s3:PutBucketWebsite
s3:PutObject
s3:PutBucketAcl
s3:PutBucketPolicy

S3 in Penetration Testing

A traditional penetration test will often cover an application’s attack surface over HTTP, however may omit proprietary S3 test cases unless the assessor is well versed in AWS security.

Virtue Security has provided a free open source utility and Burpsuite extension to assess the security of S3 buckets. It is recommended this be used by testers when assessing applications which host content in S3 buckets.

Remediation

Virtue Security recommends that the access control list (ACL) be set to only allow full control for the bucket owner. This can be achieved by using the “private” canned ACL.

Regular reviews should be performed to ensure that proper permissions are set on all buckets. Care should be taken to ensure that excessive permissions are not granted to “authenticated users” which includes all authenticated users of the AWS platform.

References: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html

We
Are
Changing
The
Way
Pentesting
Is
Done
  • Application
  • Network
  • Mobile
  • AWS