AWS Pentesting
Misconfigured S3 Bucket
Overview
AWS S3 buckets are a widely used cloud storage service. S3 exposes two primary attack surfaces: HTTP and the S3 protocol. While most content will be accessed over HTTP, it is most important to verify bucket and object permissions via S3 itself. Below is a list of permissions which may be set on a bucket:
| S3 Permission List |
|---|
| s3:GetBucketAcl |
| s3:GetBucketCORS |
| s3:GetLifecycleConfiguration |
| s3:GetBucketNotification |
| s3:GetBucketPolicy |
| s3:GetBucketTagging |
| s3:GetBucketWebsite |
| s3:PutBucketCORS |
| s3:PutLifecycleConfiguration |
| s3:PutBucketLogging |
| s3:PutBucketNotification |
| s3:PutBucketTagging |
| s3:PutBucketWebsite |
| s3:PutObject |
| s3:PutBucketAcl |
| s3:PutBucketPolicy |
S3 in Penetration Testing
A traditional penetration test will often cover an application’s attack surface over HTTP, however may omit proprietary S3 test cases unless the assessor is well versed in AWS security.
Virtue Security has provided a free open source utility and Burpsuite extension to assess the security of S3 buckets. It is recommended this be used by testers when assessing applications which host content in S3 buckets.
Remediation
Virtue Security recommends that the access control list (ACL) be set to only allow full control for the bucket owner. This can be achieved by using the “private” canned ACL.
Regular reviews should be performed to ensure that proper permissions are set on all buckets. Care should be taken to ensure that excessive permissions are not granted to “authenticated users” which includes all authenticated users of the AWS platform.
References: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html