We do not recommend testing any of the vulnerable scenarios below without prior approval. In some of the cases, third party companies were involved and we got assistance from the companies affected to contact the vulnerable party. DisclaimerĪll instances disclosed below were reported to the affected parties using responsible disclosure policies. By identifying a number of different misconfigurations we discovered that we could suddenly control, monitor and break high end websites due to weak configurations of the bucket and object ACLs. However, we decided to approach this from a different angle. Recently, a few blog posts have mentioned scenarios where the misconfiguration of a S3 bucket may expose sensitive data as well as explaining that the S3 access control lists (ACL) are quite different to the regular user permission setup in AWS which is called Identify Access Management (IAM). Files can be served either privately (via signed URLs) or publicly via an appropriately configured ACL (Access Control List) or ACP (Access Control Policy).ĪWS also provides a (CDN) service called CloudFront which is often configured to quickly serve S3 hosted files/objects from an optimized CloudFront server as close as possible to the user who is requesting the file. S3 provides an unlimited storage for each bucket and owners can use them to serve files. The storage container is called a “bucket” and the files inside the bucket are called “objects”. Quick backgroundĪmazon Web Services (AWS) provides a service called Simple Storage Service (S3) which exposes a storage container interface.
#ACL LABS HOW TO#
We also show how to do it properly and how to monitor for these sorts of issues.Ī simplified version of this write-up is available on the Detectify blog. We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies. TL DR: Setting up access control of AWS S3 consists of multiple levels, each with its own unique risk of misconfiguration.
0 kommentar(er)
