As part of the on-going DLP (Data Leak Prevention) strategy across the entire organisation, Infosec has identified a few key areas where we can improve our posture, among those areas was that of Public S3 buckets.
Consequently, Security Operations Team in collaboration with Cloud Infrastructure Team have come up with the initiative to control Public S3 buckets by restricting creation of new public buckets across our all of our AWS accounts as well auditing the current allowed S3 Public bucket to make sure they are compliant. This will help us to prevent possible S3 data buckets leaks due to accidental and/or misconfigured going forward.
We are planning to implement the restriction across all of our AWS accounts by enabling block public access feature at account level as we see fit. Please note that existing public buckets will not be impacted and will still be publicly accessible after the change.
The proposed change will be pushed on August 4th 2020. Post that, public bucket creation has to be approved from Security Team by following a well defined-procedure. Details below.
If you have legitimate need/request for a public S3 bucket, then your team has to go through the following procedure. [No exceptions].
https://29022131.atlassian.net/wiki/spaces/S/pages/1431209201/AWS+S3+Public+Bucket+Public+Access+Request+Process
Feel free to reach out to us via #tvlk-infosec-support channel, or via email to secops@traveloka.com in case you any other questions or concerns around the process or the initiative itself.