Use AWS Config To Hunt Public S3 Buckets
In this post, I want to cover an approach for using Config to rapidly identify world-readable S3 Buckets.
Some time ago, I wrote about using AWS Config to find resources across a large environment. Config’s greatest strength, in my experience, is rapidly identifying the account owning an offending resource. In an organization containing over 200 accounts, it’s not feasible to play the guessing game.
To use it in this capactiy, Config must be enabled in all accounts you wish to monitor. (In my organization, we do this automatically using AWS Organizations)
Open the AWS Config Advanced Query editor (be sure to set Query Scope accordingly!), and paste the following query:
SELECT resourceId, resourceType, accountId, supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicPolicy, supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicAcls, supplementaryConfiguration.PublicAccessBlockConfiguration.ignorePublicAcls, supplementaryConfiguration.PublicAccessBlockConfiguration.restrictPublicBuckets WHERE resourceType = 'AWS::S3::Bucket'
This returns a list containing all S3 Buckets in the environment and their PublicAccessBlockConfiguration settings. Look for any false or empty statements here; this is a good place to start hunting for public buckets.
As of the initial writing (2020-11-02), there is no bucket property that defines whether a bucket is public. Until such a property is available, this is a good start.
This query, along with others I regularly use, can be found in my aws-secops collection. If you find it useful or have suggestions, please drop me a line!
Bonus for Security Hub Users
If you use Security Hub, you can find this information in the finding for failed security standard checks. Sweet!
Under Security Standards > AWS Foundational Security Best Practices > S3.2 you are presented with a list of all world-readable S3 buckets. Clicking on the title of a failed check will open an info pane to the right containing, among other data, the AWS account ID containing the bucket.
Security Hub is slowly maturing into a highly usable product, especially in multi-account organizations. If it’s been a while since you’ve checked it out, give it another go! (Caveat: as with most other AWS services, you’ll need to enable Security Hub in all accounts you wish to monitor. This is a laborious process if you have many accounts)