Thursday, August 1, 2019

AWS S3 Access Control Options


Understanding which access control mechanism to employ in order to control and audit access to your S3 buckets and objects is tricky. This is because the method to be chosen really depends on how you intend to use the buckets and also the way you work within your organization.

I went through several resources, blogs, forums and Amazon's own resources to make it understandable and easy to remember. It helped me understand many points, I hope it helps you as well.

There are mainly 3 ways of regulating the access to the buckets and objects in S3 which are namely:
  • Bucket Policies
  • Bucket ACLs
  • IAM Policies

Bucket Policies: A “Bucket Policy” is an internal regulation structure specific to S3 which means that bucket policies can only be employed within S3 and nowhere else. They are applied at the bucket level, which also means that a same policy should be manually applied to each and every bucket for the same controls.

It allows AWS admins to apply enforcement actions (allow or deny) per users/ groups (principals) for specific actions (put, delete, read, etc.).

Typical Use Cases
  • When granting cross-account access to S3 resources in a simple way, without using IAM.

You can use ACLs to grant cross-account permissions to other accounts, but ACLs support only a finite set of permission (List, Read, Write), these don't include all Amazon S3 permissions. For example, you cannot grant permissions on bucket sub-resources using an ACL. Although both bucket and user policies support granting permission for all Amazon S3 operations, the IAM policies are for managing permissions for ONLY users in your account. For cross-account permissions to other AWS accounts or users in another account, you must use a bucket policy.
  • When there is a need to write bigger policies in size. Bucket Policies can be up to 20 KB, (IAM policies can be up to 2 KB for users, 5 KB for groups and 10 KB for roles).
  • When you prefer keeping the access controls within S3.
IAM Policies: An IAM policy is the de facto way of regulating access control for all the resources in AWS, therefore they are more general.

An interesting difference between S3 Bucket Policies and IAM Policies is that in the Bucket Policies JSON document, there is a “Principal” field to be filled detailing to which user or group the actions are going to be applied. The principal field does not exist in IAM policies because in order to be functional, they already have to be assigned to a user or a group.

Typical Use Cases
  • Creating centrally managed, user-based access policies and control everything from IAM.
  • Manage a bigger number of buckets.

Bucket ACLs: The Bucket ACLs are the legacy way of controlling access to buckets and objects in S3. They are more granular compared to bucket policies as they can be applied per object and not per bucket.

Bucket ACLs use an Amazon S3–specific XML schema and do not look like bucket policies or IAM policies which are JSON files.

There are currently only 3 actions supported by Bucket ACLs which are List, Read and Write. Detailed permissions such as in bucket policies or IAM policies are not possible with Bucket ACLs.

There are limits to managing permissions using ACLs. For example:
  • You can grant permissions only to other AWS accounts; you cannot grant permissions to users in your account.
  •  You cannot grant conditional permissions, nor can you explicitly deny permissions.

ACLs are suitable for specific scenarios. For example, if a bucket owner allows other AWS accounts to upload objects, permissions to these objects can only be managed using object ACL by the AWS account that owns the object.

Typical Use Cases
  • Cross-account access.
  • Object level permission setting requirements within a bucket.
  • The only recommended use case for the bucket ACL is to grant write permission to the Amazon S3 Log Delivery group to write access log objects to your bucket.

Bucket Policies and IAM Policies are User-based policies while Bucket ACLs are resource based.



If you’re still unsure of which to use, consider which audit question is most important to you:
  • If you’re more interested in “What can this user do in AWS?” then IAM policies are probably the way to go. You can easily answer this by looking up an IAM user and then examining their IAM policies to see what rights they have. 
  • If you’re more interested in “Who can access this S3 bucket?” then S3 bucket policies will likely suit you better. You can easily answer this by looking up a bucket and examining the bucket policy.
Avoid using Bucket ACLs except for the specific cases mentioned above.


Tuesday, July 16, 2019

Account compromise incident response in AWS

Account compromise incident response in AWS

In case of account compromise, the suggested actions to take are:
  • Change the root password and delete root access keys if you haven’t done that before.
  • Add MFA to the root account  if you haven’t done that before.
  • Change all user account passwords ( I strongly doubt about this one but the documentation says so, for certification exam purposes consider this one true)
  • Delete or  rotate potentially compromised account access keys.
  • Delete unrecognized/unauthorized instances and IAM users through the help of AWS Config and CloudTrail.

Realizing Security Assessments in AWS

Realizing Security Assessments in AWS

I tried to resume very shortly what services in AWS can be assessed for security under which conditions. Security assessments cover application and infrastructure penetration tests, DDoS tests and other network stress tests.
Pentesting is only allowed for below given 8 AWS services:
  • EC2 instances, NAT Gateways, ELBs
  • RDS
  • CloudFront
  • Aurora
  • API Gateways
  • Lambda and Lambda Edge
  • Lightsail
  • Elastic Beanstalk
Prior to the pentest pen-test-nda@amazon.com shoud be contacted for a private preview and NDA.
Following activities are prohibited:
  • DNS  zone walking via Route53 Hosted Zones
  • DoS, Simulated DoS and DDoS
  • Port Flooding
  • Protocol Flooding
  • Request Flooding
Scans are suggested to be limited to 1 Gbps or 10K Requests per Second.
Below given instance types are recommended to be excluded from security assessments.
  • T3.nano
  • T2.nano
  • T1.micro
  • M1.small
IP addresses to be used during the security assessment should be sent to aws-security-simulated-event@amazon.com
Following events are considered as simulated events:
  • Security simulations or security game days
  • Support simulations or support game days
  • War game simulations
  • White cards
  • Red team and blue team testing
  • Disaster recovery simulations.
  • Other simulated events
AWS must be informed about these events through aws-security-simulated-event@amazon.com and a detailed examination takes place before approval.
For Network stress testing such as DDoS tests, customers are  supported via pre-approved vendors noted below.
For more information, you can consult https://aws.amazon.com/security/penetration-testing page.