Use AWS Config To Hunt Public S3 Buckets

In this post, I want to cover an approach for using Config to rapidly identify world-readable S3 Buckets.

Some time ago, I wrote about using AWS Config to find resources across a large environment. Config’s greatest strength, in my experience, is rapidly identifying the account owning an offending resource. In an organization containing over 200 accounts, it’s not feasible to play the guessing game.

To use it in this capactiy, Config must be enabled in all accounts you wish to monitor. (In my organization, we do this automatically using AWS Organizations)

Open the AWS Config Advanced Query editor (be sure to set Query Scope accordingly!), and paste the following query:

SELECT
  resourceId,
  resourceType,
  accountId,
  supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicPolicy,
  supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicAcls,
  supplementaryConfiguration.PublicAccessBlockConfiguration.ignorePublicAcls,
  supplementaryConfiguration.PublicAccessBlockConfiguration.restrictPublicBuckets
WHERE
  resourceType = 'AWS::S3::Bucket'

This returns a list containing all S3 Buckets in the environment and their PublicAccessBlockConfiguration settings. Look for any false or empty statements here; this is a good place to start hunting for public buckets.

A full list of S3 bucket properties used when querying Config can be found here.

As of the initial writing (2020-11-02), there is no bucket property that defines whether a bucket is public. Until such a property is available, this is a good start.

This query, along with others I regularly use, can be found in my aws-secops collection. If you find it useful or have suggestions, please drop me a line!

Bonus for Security Hub Users

If you use Security Hub, you can find this information in the finding for failed security standard checks. Sweet!

Under Security Standards > AWS Foundational Security Best Practices > S3.2 you are presented with a list of all world-readable S3 buckets. Clicking on the title of a failed check will open an info pane to the right containing, among other data, the AWS account ID containing the bucket.

Enable the AWS Foundational Security Best Practices if you haven’t already. Once enabled, you’ll need to wait several hours up to a few days for all of your accounts to check in

Security Hub is slowly maturing into a highly usable product, especially in multi-account organizations. If it’s been a while since you’ve checked it out, give it another go! (Caveat: as with most other AWS services, you’ll need to enable Security Hub in all accounts you wish to monitor. This is a laborious process if you have many accounts)

Chris Lockard
Chris Lockard
Security Geek

I want to empower you to live a free life

Previous

Related