AWS Adds Controls To Block Public Access to S3
To curb the rash of data leaks caused by mismanaged Amazon S3 buckets, Amazon Web Services (AWS) this week introduced a new feature that lets administrators block public access to their data.
The feature, called "Amazon S3 Block Public Access," is really a group of four security settings that administrators can turn on or off across their entire AWS account or on a per-bucket basis. Once the settings are turned on, they apply to the user's current environment, as well as to any buckets they create in the future.
"You have the ability to block existing public access (whether it was specified by an ACL [access control list] or a policy) and to ensure that public access is not granted to newly created items," wrote AWS evangelist Jeff Barr in a blog post. "If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure. Our goal is to make clear that public access is to be used for web hosting!"
The settings -- which can be accessed via the S3 console, the command-line interface or the S3 API -- are as follows:
- Block new public ACLs and uploading public objects
- Remove public access granted through public ACLs
- Block new public bucket policies
- Block public and cross-account access to buckets that have public policies
Administrators can apply the settings one way across their entire account, and in a different way for individual buckets, Barr noted. "If I set some options at the account level and others on a bucket, the protections are additive."
If a user wants to create a new bucket, the original security settings will apply; the user will have to manually disable or enable the settings for that individual bucket if it requires a different level of public access than the rest of the account.
It should be noted that S3 buckets, by default, do not allow public access. Nevertheless, there has been a rash of organizations misconfiguring their S3 buckets, leading to the exposure of the personal data of hundreds of millions of individuals, as well as data critical to the security infrastructure of organizations.
AWS has taken several steps to address the problem, from releasing S3-specific security tools and features, to flat-out warning its users to lock down their buckets. This new Amazon S3 Block Public Access feature, which now available for all commercial AWS regions, is just the latest step in that effort.