AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things

Security a popular topic at Las Vegas event


re:Invent At its re:Invent event under way in Las Vegas, Amazon Web Services (AWS) dropped the veil on a new tool to help customers to avoid spewing data stored on its S3 (Simple Storage) service to world+dog.

"Access Analyzer for S3 is a new feature that monitors your access policies, ensuring that the policies provide only the intended access to your S3 resources," the cloud giant said.

Customers can enable Access Analyzer via a new option in the console for IAM (Identity and Access Management). The tool will then alert you when a bucket (an area of storage in S3) is configured to allow public access or access to other AWS accounts. The implication of the tool, of course, is that this is sometimes done accidentally via misconfigured policies or access control lists (ACLs).

A new single-click option will block public access – hopefully letting you avoid unauthorised use of the data before it is too late. The tool will also let you see which policy or ACL allows the access so that you know what to fix.

The AWS Access Analyzer for S3

The AWS Access Analyzer for S3 (click to enlarge)

Some S3 buckets are, of course, deliberately public – as resources for a website, for example, or downloads to deploy or support an application. In this case, you can mark them within the tool to acknowledge that this is working as intended.

At the re:Invent shindig, senior principal engineer Becky Weiss presented at a packed session on the fundamentals of AWS security. She explained that "there are security patterns that repeat everywhere in AWS" and divided the subject into three parts. The first is IAM, used to control access to cloud infrastructure. "Every AWS service uses IAM," she said. The second is KMS (Key Management Service), used to control data encryption. The third is VPC (Virtual Private Cloud), used to control access to a customer's virtual network.

Weiss gave concise explanations of how IAM policies work in AWS, and what you do if you need to allow access from one AWS account to resources which belong to a different account. AWS uses Organizations to make it easier to manage multiple accounts.

She also introduced VPC private and public subnets, security groups, which are firewall rules controlling access to these subnets, and VPC endpoints, which let you manage network access to resources outside the VPC such as AWS serverless resources like S3.

Securing AWS resources is challenging because of the number of different services and the scale of their usage. The starting point is to understand the security patterns which AWS has provided, and which Weiss did a good job of outlining.

These are all things that every AWS customer should understand, but at the end of the session your correspondent overheard one attendee say to another: "So basically we need to reconfigure everything."

As users enable the new Access Analyzer, our hunch is that no small number of alerts will be pinging. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021