Threat Thursday

AWS CLI & S3 Buckets

Written by Kristen Cotten | Jan 26, 2023 3:07:00 PM

The cloud and organizations’ migration to cloud infrastructure have fast-tracked digital change over the past several years. Boasting reliability and flexibility, cloud services are an appealing choice for many businesses but do not come without additional complexity and security concerns.  Cloud security misconfigurations can be one of the biggest causes of data breaches these days. A recent Trend Micro study reports that 65 to 70% of all security challenges in the cloud arise from security misconfigurations. No matter the provider chosen, each comprises a plethora of different services, settings and policies. Navigating a migration is daunting, especially when pushed to move quickly as was the case with many during COVID when remote work became the new norm. 

Building off our CloudFox plan, our newest cloud-focused plan features the use of the AWS Command Line Interface (CLI) and S3 buckets. The ‘enable Amazon S3 block public access for AWS accounts’ is the top misconfigured rule in the S3 service. Despite having a severity classification of ‘very high”, Trend Micro reports a misconfiguration rate for this rule at 69.97%. When this setting is misconfigured it can result in inadvertently exposing AWS S3 bucket data to the public and lead to data breaches. In early November of this year, security researcher Eilon Harel published an open-source tool, S3crets Scanner, that allows researchers an automated method of hunting for secrets stored in public S3 buckets. Amazon also provides detailed documentation on best practices via the AWS Well-Architected-Framework.

Before you start this emulation please ensure you have edited the appropriate fields with your own AWS configurations and have the AWS CLI installed on the test system. Information on how to install the AWS CLI can be found here.

 

The following steps set the new bucket name, file name, and object name. They can also be edited to any naming schema of your choosing.

The remainder of our emulation focuses on S3 bucket enumeration and emulation of data exfiltration due to an overly permissive S3 ACL rule. 

Our SCYTHE customers will receive this latest emulation along with potential detection opportunities via email and also, very soon, in our new Customer Portal.

 

Happy Hunting : ) 

 

- SCYTHE AES Team

 

References: