S3 Bucket with Public Access
Dear Fellow Engineer.
We get notification from AWS and also Cloud Conformity, regarding S3 bucket with read (s3:GetObject) public access, which is considered not safe and can damage our organization.
Why
- Public S3 bucket which contains sensitive data (customer data, finance report, voucher, etc) can be accessed by everyone in the internet, and leaks sensitive data that can damage our organization.
- Downloading or getting objects from S3 bucket is not free. S3 with read public access can be abused by everyone on the internet with high frequent get or download request, which can increase the cost of our S3 bucket, and guess who are going to pay it? yes our organization :').
What Should You Do
- Identify whether you really need to give read access from public or internet.
- Clasify data stored in S3 bucket, you can follow this guideline [1].
- If it is possible, lock down permission to read from S3 bucket only to a specific IAM User or role.
- Use S3 presigned URL[2] to give your user temporary read access to S3 bucket.
- Use Cloudfront if your usecase is to give read access from internet, cloudfront will cache the file or assets in your s3 bucket, and prevent direct access to S3 bucket.
Affected Resources
Full information to the report can be seen here[3]
- athbck-jwks-631418022601-680acf0573f1f493
- athbck-router-631418022601-de1317b47cf4ff3e
- athbck-jwks-956362788301-dc94b74891073482
- athbck-router-956362788301-4be1d26253e2d6c3
- tvlk-data.com
- txt-aries-app-functions-ap-southeast-1-229111731822-98f8e42f0e
- cnt-atr-image-715824975366-bd0c034ea39274d0
- pps-voucher-715824975366-7df8dc25ffbcd958
- s3.traveloka.com
- traveloka
- tvlk-prod-ath-auth0-public-url
- tvlk-prod-experience-voucher-images
- tvlk-prod-public-keys
- tvlk-prod-xxt-assets
- tvlk-dev-exp-assets
- txt-aries-app-functions-ap-southeast-1-360852443930-158607c487
References: