7 Ways AWS Can Fix Its Public S3 Bucket Problem

Image from www.bluecoat.com licensed under Creative Commons

I recently saw a Twitter thread on AWS’s notorious public S3 bucket permissions issue. Some of the replies, especially from AWS folks defending AWS on the issue, got me thinking about whether there are additional improvements that can be made.

While it’s true that AWS has done a lot in the past year to improve S3 bucket security, for some reason we’re still seeing breaches occur with a regular cadence. Something more is needed.

So I fired up my AWS console and started taking some notes. I don’t expect AWS to implement all of these suggestions (I don’t claim to be an expert on the S3 product and am certain to be missing some nuances), but maybe they can reach the right teams who can use them as a starting point for discussion.

1. Decouple public access from buckets entirely.

2. Merge ACLs and bucket policies

3. Make public bucket access a CLI-only setting

4. Move the decision to account owners

5. Require a two-person developer opt-in

6. Enforce a waiting period

7. Disable public buckets that have never received public traffic

To summarize, while I think AWS does a fantastic job of creating good services that have excellent security options, the answer to “developers are mistakenly configuring buckets insecurely” shouldn’t be “they just aren’t reading the options,” but rather “what more can we do to make it nearly impossible to do the wrong thing?”

Founder of @CloudSploit , acquired by @AquaSecTeam . Former Infra / Security / Manager @Adobe , @Aviary & @Mozilla intern, @RITtigers grad, @NYC resident

Founder of @CloudSploit , acquired by @AquaSecTeam . Former Infra / Security / Manager @Adobe , @Aviary & @Mozilla intern, @RITtigers grad, @NYC resident