Blog   |   Security   |   February 26, 2018

AWS Makes it a Little Easier to Secure S3 Buckets

In a welcome move, Amazon has made their S3 Bucket permissions check free for everyone, not just those who pay extra for Business or Enterprise Support. 2017 saw extensive press coverage of enterprises that had left confidential data exposed on public cloud storage. While AWS and all cloud providers conform to a Shared Responsibility Model, and AWS makes S3 storage private by default, enough organizations were not following best practices for this to be a newsworthy issue.
CloudCheckr has already been giving away S3Checkr.com for free since July, 2017. “It’s in everybody’s interest that the cloud be secure,” noted Adam Kranitz, Director of Marketing at CloudCheckr. “That’s why we made S3Checkr.com free as well as BlobCheckr.com for Azure storage. Sometimes administrators need that extra reminder to lock down their storage, like a reminder to change your smoke alarm batteries.”
S3 Breach Tool
While this move from AWS is a good start, it is only part of the solution. After all, many of the large enterprises that were exposing confidential data were likely AWS Business customers and were already entitled to use AWS’ Trusted Advisor tools for free. What is needed is automated self-healing, as provided by CloudCheckr. Indeed, many of CloudCheckr’s 500+ Best Practice Checks offer “Fix Now” and even “Always Fix” capabilities. This means fixing an S3 bucket’s permissions can be done with the click of a mouse. And with “Always Fix” activated, whenever such a misconfiguration is detected, CloudCheckr can fix it automatically, even while administrators are sleeping.
It’s also worth noting that a single check to see if S3 buckets are open to the public is important, but CloudCheckr actually has over twenty checks dedicated to S3 permissions alone. CloudCheckr’s S3 checks include list, edit, upload/delete, view, view permissions and whether the user is an AWS user or the general public. CloudCheckr can even check if sensitive data is exposed, looking for keywords such as legal, classified, undisclosed, payroll, HIPAA, audit, invoice, confidential, plus dozens more. Plus, Trusted Advisor is integrated into CloudCheckr so there is no need to check your configuration in two places.
S3 checks green
At the end of the day, the Shared Responsibility Model means cloud administrators have to secure everything in their domain. Cloud providers offer the tools, but admins need to follow best practices, ideally automatically.
Schedule a demo to see how CloudCheckr can help you optimize your cloud, or try a 14-day free trial.

Todd Bernhard headshot
About the Author

Todd Bernhard has been with CloudCheckr handling Product Marketing and Technical Evangelism roles since 2017. He holds multiple certifications including AWS Solutions Architect Associate, Microsoft Azure Fundamentals, Google Cloud Associate Engineer and FinOps Certified Practitioner. Prior to joining CloudCheckr, Mr. Bernhard was an award-winning, bestselling mobile app developer and entrepreneur and previously worked for Sun Microsystems, as an Evangelist, Sales and Technical Trainer and Product Marketing Manager for Sun’s high-end data center servers.