Over the past several weeks, the security of AWS S3 buckets have come under increasing scrutiny. While the S3 service itself has not suffered any known breaches, customer misconfigurations have created some big headaches for some equally big companies.

The root of the issue lies in the fact that S3 has multiple security settings, unlike most of AWS’s other services. Notably, you can configure access to S3 using custom ACLs, bucket policies, as well as IAM roles. While each of these settings has a purpose, developers have clearly been confused by the options, resulting in data loss, customer data exposure, and compromised accounts. The in-depth explanation of these various settings is beyond the scope of this post, but many great articles have already been written that explain their use cases (here is one).

At CloudSploit, our biggest focus is putting control of cloud security back in the hands of our users. Finding poorly configured S3 buckets should not take custom scripts, hours of clicking in the console, or worse — a full compromise, to find. So today, we’re announcing the “S3 Security Visualizer” — a tool that allows you to quickly locate insecure S3 buckets based on their ACL and policy configurations.

Given the scope of this problem, and the urgency with which AWS is alerting customers, we’ve decided to release this tool, completely free for every single one of our users for the next 30 days. There’s no need for a credit card to sign up and get started! Let’s take a look at the process of connecting your AWS account and scanning its buckets.

First, if you don’t have a CloudSploit account, sign up here — it’s free.

Once you’ve logged in, you’ll need to connect your AWS account with CloudSploit. We use a secure, third-party, cross-account role with an external ID to gain temporary access to your account. Navigate to the “AWS Accounts” page and start the connection wizard.

Proceed through the connection steps. We recommend the CloudFormation method, but the manual method works just as well if you’re interested in what’s going on behind the scenes. To provide more context — the template (or the manual steps) is creating an IAM role using the external ID auto-generated for you. This role is then being assigned a “SecurityAudit” policy, which is a policy created by AWS that gives us read-only access to the metadata about your AWS services. If you’re only interested in the S3 scanning portion, you can modify the role later to remove the non-S3 permissions granted by the managed policy.

Once you’ve connected your account, you should see it in the list.

Now, navigate to the “S3 Visualizer” tool and select your account from the drop-down list.

After you select the account, CloudSploit will go to work in the background scanning your S3 buckets. Depending on the number of buckets you have, this could take up to a minute. Once it’s finished, you’ll see the full list of results appear.

The results are based on analysis of two different bucket settings:

ACLs

ACLs allow you to define “grantees” which can be all users, only authenticated users, or specific users or groups from your or other AWS accounts. CloudSploit checks for the presence of “AllUsers” or “AuthenticatedUsers.” One common misconception is that “AuthenticatedUsers” only allows AWS users from the same account. However, it actually allows any AWS user.

Policies

Policies consist of a JSON document with statements containing specific permissions. These permissions allow “principals” to perform actions on resources. CloudSploit looks for the presence of a “*” principal, along with an “Allow” effect on any resources.

It is important to note that you may have legitimate business reasons for exposing buckets. However, AWS strongly recommends using a CDN like CloudFront, along with a secure origin to access objects in S3. Additionally, if you need to allow global uploads to S3, you should use signed URLs to prevent abuse.

With this tool, there is now zero excuse for having compromised buckets in your account. While S3 security settings can be confusing, we hope that this tool helps visualize the impact of the settings you choose to implement.

If you have any questions, contact us at support@cloudsploit.com

— The CloudSploit Team