Received S3 bucket security notification email for my AWS account?

 

Recently I have got an email related to my AWS S3 buckets ACL and the email says:

We're writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) or bucket policies are currently configured to allow read or write access from any user on the Internet. The list of buckets with this configuration is below.

By default, S3 bucket ACLs or policies allow only the account owner to read or write contents from the bucket; however, these ACLs or bucket policies can be configured to permit world access. While there are reasons to configure buckets with world access, including public websites or publicly downloadable content, recently, there have been public disclosures of S3 bucket contents that were inadvertently configured to allow world read or write access but were not intended to be publicly available.

We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don't intend. Bucket ACLs and policies can be reviewed in the AWS Management Console (http://console.aws.amazon.com ), or using the AWS CLI tools. ACLs permitting access to either “All Users” or “Any Authenticated AWS User” (which includes any AWS account) are effectively granting world access to the related content.

So, my question is what should I do to overcome this?

As the first answer, yes these mails are like reminders. What should you do is;

  • Spot the S3 Buckets that needs to be private
  • Check their Bucket ACL's. Look to the Public Access & Listing
  • After that check the Bucket policy. Remember that Bucket policies are more valid than the ACL's (For example, ACL may set to DENY mode but if the policy is on ALLOW, every object would be Public)
  • For the best practices please check this link; https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf [Page 28 of 74]

    • This is a courtesy notice , letting you know that content in Amazon S3 is public. If this is how you want your S3 bucket(s) configured, then there is no need to take action.

    If this is not how you wish your buckets to be configured, then you should remove those permissions. (See plenty of online information on how to do this.)

    I suspect that many people just blindly copy instructions from various online tutorials and might not realise the impact of their configurations. This email is just letting AWS customers know about their current configuration.

    链接地址: http://www.djcxy.com/p/70220.html

    上一篇: 使用boto和python为s3存储桶配置生命周期时出现错误403 Forbiden

    下一篇: 收到我的AWS账户的S3存储桶安全通知电子邮件?