Amazon Web Services (AWS) recently announced new configurations to ensure that customers using S3 buckets haven’t misconfigured it accidentally. This, however, doesn’t mean that the new configuration will be responsive about public access like a user.
The new configuration, Amazon S3 Block Public Access can work on the account level, individual buckets and future buckets created by the user. It will give user extra accessibility to block existing public access or control the access for newly created items. The new feature is an extension of already available access controls like Access Control Lists (ACL), or Identity and Identity Access Management (IAM) bucket policies. Users will not be charged any extra amount for the configuration feature aside from usual prices for a request made for S3 API.
The ACL and policies gave the user flexibility so that you can grant permission to multiple accounts; restrict access to specific IP addresses, granting access to other accounts to upload new objects in a bucket, use of Multi-Factor Authentication (MFA) and many more features.
New Amazon S3 Block Public Access
The new level of protection works on buckets and objects making it easier for the user to control. It works on the account level and individual buckets, including your future requirements. Using the new Amazon S3 block will help to block existing public access and also block the newly created items. In case of AWS account being used to host the data or application the public level protection will act as a guard against accidental public exposure. The public access is used for different types of web hosting.
When dealing with public access settings for the AWS account, you have two options to deal with- Manage Public Access Control Lists (ACLs) and Manage Public Bucket Policies.
Here are some points to take into consideration while dealing with them:
1. Block new public ACLs and Uploading public objects: The option allows the user to configure buckets and objects, disallowing them to use a new public bucket or object ACL. The option will not affect the existing buckets or objects but will ensure that future PUT requests that include ACL option will fail. The setting can be used to protect against future attempt to use ACL to create buckets or objects public. If an application tries to upload an object with public ACL or if an admin tries to apply the public setting to the bucket it will block the public access setting for the bucket.
2. Remove public access granted through public ACLs: The option allows the user to set S3 and not to evaluate any public ACL while authorizing a request. This ensures that no buckets or objects can be made public using ACLs. The setting overrides current or future public access setting. The setting will override the setting of an object that is currently uploading using public ACLs.
3. Block new public bucket policies: This option discards all the new public bucket policies and is used to ensure that future PUT requests that include them will fail. However, this would not affect the existing buckets or objects to ensure that bucket policy cannot be updated to grant public access.
4. Block Public and cross-account access to buckets that have public policies: The options set the bucket that is publicly accessible could be accessed by bucket owner and AWS services. This option will protect buckets that have public policies and also your functions. It protects the data in the bucket from becoming publicly accessible. AWS wants to make that the user use public buckets and objects without making them publicly accessible just due to certain misconfiguration. It has been a long-term problem for the Amazon cloud service and its users. Cloud is a shared responsibility while the provider is responsible “Of cloud” i.e. infrastructure and the user is responsible “in Cloud” i.e. configuration. AWS recently also changed the color of objects and buckets that are public so that a user can easily identify them.
Conclusion:
The recent high profile leaks have led many experts commenting that the ease of using cloud depends on the user. It’s important that you take the responsibility of the cloud as your system and configure it utmost security. Hiring cloud security personnel will be better than having just an IT personnel handling the configuration of the cloud.
For more information on cloud configuration, you can download our Whitepaper.