Due to some recent high profile data leak incidents and as part of the on-going DLP (Data Leak Preventation) strategy accross the entire organization, Infosec has identified a few key areas were we can improve our posture, among those areas was that of Public S3 buckets.

Consequently, Security Operations team in collaboration with Site-Infra team have come up with the initiative to control Public S3 buckets by restricting creation of new public buckets across our AWS account Organisation as well as audit the current allowed S3 Public bucket to make sure they are compliant. This will help us to prevent possible S3 data buckets leaks due to accidental and/or misconfigured going forward.

What is the Plan and Timeline ?

We are planning to implementing the restriction to all accounts by enabling block public access feature at Account level. as we see fit. Please note that existing public buckets will have no impact and will be publicly accessible for normal operations.

As for the timeline, we will be implementing this changes on August 1st 2020. Post that, public bucket creation has to be approved from Security Team by following a well defined-procedure. Details below.

What do you need to do ?

For any new S3 bucket creation that needs public access, product teams have to go through the following procedure. No exceptions.

In summary, the procedure will be :

Requester Team need to open JIRA ticket to Information Security “Requesting for public S3 bucket access” .

The ticket should contain at the minimum the below information:

Context around the need for it with a Proper Business Proposal/Justification.
Details about the data present in the bucket in order for the security team to assess the sensitivity of the data.
Target AWS Account information
Name of the bucket in the account which needs to be public. (Please note that the bucket should be already created).
Intended Bucket Policy allowing public access if custom.
Approval from Business Head from the respective product domain.

If the request is approved based on the business requirement and security considerations, Security team will make the necessary changes.
If the request does not satisfy the business and/or security needs. Approval might be rejected with the details of outcome / decision.

3.- Once approved, Security team will make the bucket public (in step 1) in the respective account and communicate with the respective team.
4.- Wait for the team to test the operations and confirm to security team.
5.- Request Closure.

For further details and the official process flow, please refer to the below confluence link.
https://29022131.atlassian.net/wiki/spaces/S/pages/1431209201/AWS+S3+Public+Bucket+Public+Access+Request+Process

Feel free to reach out to us in case of any other questions around the process.

[IMPORTANT] [ACTION REQUIRED] Security Announcement: Restricting Public Buckets across AWS Organisation

Background

What is the Plan and Timeline ?

What do you need to do ?