Security news that informs and inspires

AWS Adds Feature to Block Public Access to S3 Buckets


Amazon is making a significant change to the options customers have for locking down their AWS cloud accounts, allowing them to block all public access to those accounts and even to individual S3 buckets.

The new feature gives AWS customers the chance to make the change for all of their existing S3 buckets, as well as any new ones created in the future. Although Amazon Web Services accounts and individual storage buckets are private by default, customers often will make certain accounts or buckets public in order to share resources with other people or groups. But there have been many examples in recent years of people leaving buckets containing sensitive information exposed by mistake.

The Department of Defense has had several individual incidents in which sensitive data was publicly accessible in S3 buckets, and many large companies have had similar incidents, including Time Warner Cable, Verizon Wireless, and Dow Jones.

Amazon Web Services (AWS) is the company’s cloud storage and compute platform, used by a wide range of enterprises, small businesses, and individuals for a variety of different tasks. The platform has a number of different tiers and packages, but the Simple Storage Service (S3) is among the more popular.

“This is a new level of protection that works at the account level and also on individual buckets."

Some security researchers have been looking for and publicizing S3 buckets that are publicly exposed with sensitive data in them. So to help customers protect themselves against making a public mistake, Amazon is switching up the way access control works.

The new S3 Block Public Access feature gives customers a detailed level of control over what accounts or buckets are accessible to outsiders.

“This is a new level of protection that works at the account level and also on individual buckets, including those that you create in the future. You have the ability to block existing public access (whether it was specified by an ACL or a policy) and to ensure that public access is not granted to newly created items. If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure,” Jess Barr of AWS said.

Customers can use the new feature in a number of different ways, including through the S3 Console, S3 APIs, and the command line.

The new security capability builds on a change that Amazon made last year, when the company introduced a feature that gave users a clear visual indication of which buckets are public and which are private.