AWS has addressed a weakness that could have been leveraged by attackers to prevent AWS Trusted Advisor from flagging unprotected S3 buckets as a risk.
AWS Trusted Advisor is designed to analyze customers’ environments and provide recommendations for improvements in areas such as cost, performance, and security. Several security-related Trusted Advisor checks are provided for free, including security group settings, IAM user access, multi-factor authentication, and S3 bucket permissions.
The S3 bucket permissions check alerts users when their buckets have open access permissions or allow access to any authenticated AWS user.
Researchers at Fog Security discovered that an attacker could get Trusted Advisor to not alert users about public buckets by setting the S3 bucket policies to deny ‘s3:GetBucketAcl’, ‘s3:GetPublicAccessBlock’ or ‘s3:GetBucketPolicyStatus’ actions.
After bypassing Trusted Advisor’s S3 security check, the researchers showed how an attacker could have configured a bucket with public and anonymous permissions via bucket policies and ACLs, enabling data exfiltration without triggering an alert.
It’s worth noting that an attacker would need to first gain access to the target’s AWS environment before carrying out these actions.
Fog Security reported its findings to AWS in early May and a comprehensive fix was rolled out in late June — an incomplete patch was deployed in late May.
AWS has notified customers about the issue and pointed them to documentation pages covering S3 bucket permissions and blocking public access to S3 storage.
“As a security best practice, we recommend customers review their S3 bucket permissions and ensure they align with their security requirements,” an AWS spokesperson told SecurityWeek. “When S3 bucket policies prevent Trusted Advisor from performing certain actions […], customers should expect to see a ‘Warn’ status in their Trusted Advisor check. Previously, these buckets were incorrectly listed as ignored and potentially displayed incorrect status indicators for public access settings.”
Related: Vendors Unveil New Cloud Security Products, Features at AWS re:Invent 2024
Related: Compromised AWS Keys Abused in Codefinger Ransomware Attacks
Related: Vulnerability Allowed Takeover of AWS Apache Airflow Service
