Severity: Medium
Test name: Open Cloud Storage
This test combines assessments for open cloud storage services, including Amazon S3, Azure Blob Storage, and Google Cloud Storage. It checks the response body of an endpoint with specific content-types for links pointing to these services. Each link is then checked to verify if it exposes open cloud storage. The goal is to improve data security and privacy by limiting access to authorized users or services and addressing unauthorized access or exposure.
The impact of an open S3 bucket can be severe. Since anyone can access the data without authentication, it can lead to unauthorized viewing, downloading, modification, or deletion of sensitive information. This could result in data breaches, loss of confidential data, compliance violations, and damage to reputation. Additionally, attackers could use the exposed data for malicious purposes, such as identity theft, fraud, or extortion.
Response body -> s3 bucket
- Enable Bucket Policies and Access Control Lists (ACLs): Configure bucket policies and ACLs to restrict access to the bucket to only authorized users or services.
- Use IAM Roles and Users: Utilize AWS Identity and Access Management (IAM) to manage access permissions for users and services accessing the S3 bucket.
- Implement Encryption: Enable server-side encryption to protect data at rest, and use HTTPS to encrypt data in transit.
- Regularly Monitor and Audit Access: Set up logging and monitoring to detect unauthorized access attempts and unusual activities. Regularly review access logs and audit trails.
- Apply Least Privilege Principle: Grant the minimum permissions necessary for users and services to perform their tasks, following the principle of least privilege.
- Enable Versioning: Enable versioning on the bucket to protect against accidental deletion or modification of objects.
- Use MFA Delete: Enable Multi-Factor Authentication (MFA) Delete to add an extra layer of security for deleting objects.
- Implement Security Best Practices: Follow AWS security best practices and regularly review AWS security advisories and updates.
