Skip to main content

Unauthorized access to files - S3 Bucket

Need

Secure access control for S3 buckets

Context

  • Usage of Scala 2.12 for writing scalable and high-performance applications
  • Usage of AWS SDK for Java (aws-java-sdk-s3) for interacting with Amazon S3 services

Description

Non compliant code

import com.amazonaws.services.s3.AmazonS3ClientBuilder
import com.amazonaws.services.s3.model.PutObjectRequest

val s3Client = AmazonS3ClientBuilder.standard().build()
val bucketName = "my-s3-bucket"
val fileName = "myFile.txt"
val file = new File(fileName)

val putObjectRequest = new PutObjectRequest(bucketName, fileName, file)
s3Client.putObject(putObjectRequest)

The above Scala code represents a situation where an S3 bucket is being used to store a file without any checks or measures to prevent unauthorized access.

Here's a step-by-step explanation of what the code does:

  1. It imports the necessary AWS S3 libraries.
  2. It creates an instance of the AmazonS3ClientBuilder which is used to interact with the AWS S3 service.
  3. It defines the name of the S3 bucket and the file to be stored in the bucket.
  4. It creates a new File instance with the given file name.
  5. It creates a PutObjectRequest, which is a request to put an object in the specified S3 bucket.
  6. Finally, it uses the S3 client to send the PutObjectRequest to the S3 service, effectively storing the file in the S3 bucket.

The vulnerability lies in the fact that there are no measures taken to prevent unauthorized access to the S3 bucket. The bucket policies are not defined, and there are no checks to ensure that only authenticated and authorized users can access or modify the content of the bucket. This means that an attacker can potentially access the bucket, download its content, modify it, or even delete the stored information.

Steps

  • Ensure that the S3 bucket is not publicly accessible.
  • Implement proper authentication and authorization mechanisms for accessing the S3 bucket.
  • Use access control policies to restrict access to the S3 bucket.
  • Encrypt the data stored in the S3 bucket to protect it from unauthorized access.
  • Regularly monitor and audit access to the S3 bucket to detect any unauthorized activity.
  • Follow secure coding practices and avoid hardcoding sensitive information, such as access keys or secret keys, in the code.
  • Keep the S3 client library and dependencies up to date to benefit from security patches and bug fixes.

Compliant code

import com.amazonaws.services.s3.AmazonS3ClientBuilder
import com.amazonaws.services.s3.model.PutObjectRequest
import com.amazonaws.services.s3.model.CannedAccessControlList

val s3Client = AmazonS3ClientBuilder.standard().build()
val bucketName = "my-s3-bucket"
val fileName = "myFile.txt"
val file = new File(fileName)

val putObjectRequest = new PutObjectRequest(bucketName, fileName, file)
putObjectRequest.setCannedAcl(CannedAccessControlList.Private) // Set the ACL to private
s3Client.putObject(putObjectRequest)

The updated code includes a call to setCannedAcl(CannedAccessControlList.Private) on the PutObjectRequest object. This sets the Access Control List (ACL) of the uploaded file to Private, which means the file can only be accessed by the owner of the S3 bucket. This prevents unauthorized access to the file.

In addition to this code change, you should also ensure that the S3 bucket itself is not publicly accessible. This can be done through the AWS Management Console, AWS CLI, or AWS SDKs. You should also implement proper authentication and authorization mechanisms for accessing the S3 bucket, such as IAM roles and policies.

Furthermore, consider encrypting the data stored in the S3 bucket to protect it from unauthorized access. AWS provides several methods for encrypting data at rest in S3, including server-side encryption with S3 managed keys (SSE-S3), server-side encryption with AWS KMS managed keys (SSE-KMS), and server-side encryption with customer-provided keys (SSE-C).

Regularly monitor and audit access to the S3 bucket to detect any unauthorized activity. AWS CloudTrail provides logs of all access requests to your S3 bucket, which can be analyzed for suspicious activity.

Avoid hardcoding sensitive information, such as access keys or secret keys, in the code. Instead, use environment variables or AWS Secrets Manager to securely store and retrieve these values.

Finally, keep the S3 client library and dependencies up to date to benefit from security patches and bug fixes. Regularly check for updates and apply them as soon as possible.

References

Last updated on