The three tools do have the ability to mark an S3 bucket as public, but the wording in these tools is similar to the AWS web console. None of the tools automatically marks a bucket as public. Most people interact with S3 buckets either through the web console, the CLI developed by AWS, custom code that uses one of the AWS SDKs, or one of those tools. In our audit, we found one tool that was using unencrypted HTTP by default, and after requesting they change this, they're now using HTTPS by default. One third-party tool was using unencrypted HTTP by default.None of the tools reviewed made S3 buckets public without intentional actions by the user.We determined that these tools are not a contributing factor to this problem. Our hypothesis was that perhaps one or more of these tools are automatically making these S3 buckets public, or perhaps contain wording for an action that is misleading and results in the bucket being made public. There are a handful of tools people use to work with S3 buckets that were not developed by Amazon. There are many reasons why this might be the case, but we decided to investigate one hypothesis, that perhaps one or more third-party tools used to work with S3 buckets are contributing to this problem. However, many of these incidents appear to be unintentional. There are legitimate reasons to make S3 buckets public, such as hosting the content for a public website. These are continually making the news for being found with sensitive information in them that have been made public. S3 buckets are a way of storing files on Amazon Web Services (AWS). Product & Engineering MaScott Piper A Security Audit of Third-Party AWS S3 Tools
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |