AWS Trusted Advisor Tricked Into Showing Unprotected S3 Buckets as Secure

Posted on By CWS

AWS has addressed a weak spot that might have been leveraged by attackers to forestall AWS Trusted Advisor from flagging unprotected S3 buckets as a threat.

AWS Trusted Advisor is designed to investigate clients’ environments and supply suggestions for enhancements in areas resembling price, efficiency, and safety. A number of security-related Trusted Advisor checks are supplied without cost, together with safety group settings, IAM person entry, multi-factor authentication, and S3 bucket permissions.

The S3 bucket permissions verify alerts customers when their buckets have open entry permissions or enable entry to any authenticated AWS person. 

Researchers at Fog Safety found that an attacker may get Trusted Advisor to not alert customers about public buckets by setting the S3 bucket insurance policies to disclaim ‘s3:GetBucketAcl’, ‘s3:GetPublicAccessBlock’ or ‘s3:GetBucketPolicyStatus’ actions. 

After bypassing Trusted Advisor’s S3 safety verify, the researchers confirmed how an attacker may have configured a bucket with public and nameless permissions through bucket insurance policies and ACLs, enabling knowledge exfiltration with out triggering an alert. 

It’s price noting that an attacker would want to first acquire entry to the goal’s AWS atmosphere earlier than finishing up these actions. 

Fog Safety reported its findings to AWS in early Might and a complete repair was rolled out in late June — an incomplete patch was deployed in late Might. 

AWS has notified clients concerning the concern and pointed them to documentation pages overlaying S3 bucket permissions and blocking public entry to S3 storage. Commercial. Scroll to proceed studying.

“As a safety finest follow, we suggest clients overview their S3 bucket permissions and guarantee they align with their safety necessities,” an AWS spokesperson advised SecurityWeek. “When S3 bucket insurance policies forestall Trusted Advisor from performing sure actions […], clients ought to anticipate to see a ‘Warn’ standing of their Trusted Advisor verify. Beforehand, these buckets had been incorrectly listed as ignored and probably displayed incorrect standing indicators for public entry settings.”

Associated: Distributors Unveil New Cloud Safety Merchandise, Options at AWS re:Invent 2024

Associated: Compromised AWS Keys Abused in Codefinger Ransomware Assaults

Associated: Vulnerability Allowed Takeover of AWS Apache Airflow Service

Security Week News Tags:, , , , , , ,

Related Posts

Ransomware Group Claims Attack on Beer Giant Asahi Security Week News
Pennsylvania Attorney General Confirms Ransomware Behind Weeks-Long Outage Security Week News
Doppel Raises $70 Million at $600 Million Valuation Security Week News
Sharing Intelligence Beyond CTI Teams, Across Wider Functions and Departments Security Week News
Cyberattack Targets International Criminal Court Security Week News
Ransomware Gang Leaks Alleged Kettering Health Data Security Week News