squaretwo
Member
Posted 9 months ago #
I received this email from amazon s3. I suppose everyone uses s3 had received this.
My thinking is - 'it is ok' because if debug info is switched off, the bucket url is not discoverable - except if malicious port scan against amazonaws.com.
What is your thought on this?
It will be good if authentication (signed url) is used.
from Amazon:
We’ve noticed that your Amazon S3 account has a bucket where your permissions allow anonymous requestors to perform READ operations, enumerating the contents of the bucket. Amazon S3 buckets are private by default. Recently, some tools and scripts have emerged which scan services like Amazon S3 and enumerate objects in publicly listable buckets. These tools could be used to identify objects in your bucket. The use of these tools against your buckets may also produce unintended charges in your account.
I just got this too and was slightly alarmed to find EVERYTHING from my blog was listed - .htaccess, config files etc.
Of course, I've changed the passwords immediately removed the LIST permission from "everyone", and the blog seems to be working fine still, but a bit of a worry, and wondering why it's setup like that.
squaretwo
Member
Posted 9 months ago #
Would CDN still work if you remove LIST?
maryloutyler
Member
Posted 9 months ago #
I too, got this message and am not sure what to do. Do I need to modify the ACL access privileges AND change my logon passwords to the wordpress site? It sounds as if they have a hacker getting into AWS. But, they don't give explicit instructions for us non-programmer types on how to fix it. Can anyone shed light, in layman's terms, on what we need to do, step-by-step?
Many thanks - here I thought we were safer with AWS.
@maryloutyler - I just logged into S3, click the bucket name on the left, clicked "properties" and deleted the line which contained "LIST" for "EVERYONE". Don't delete the other properties though - people still need to be able to actually see the items, just not list the whole bucket.
maryloutyler
Member
Posted 9 months ago #
Thank you.
I'm using firefox' S3Fox plugin. There was no LIST option, but there is a USERNAME column when I right-click on EDIT ACL that had the EVERYONE username listed with READ PRIVILEGE. I've deleted that USERNAME at the root folder level and applied the changes to ALL SUBFOLDERS.
I'll watch the folder today. I saw files over the weekend that looked suspicious, and wasn't sure if it was my testing of the CloudFront that was causing it. I read through the documentation and it was like reading a foreign language.
All the AWS Security comment areas are closed - so you cannot really ask for assistance. Even their e-mail this morning was cryptic. Unnerving...
I appreciate the quick response.
When you say "All the AWS Security comment areas are closed - so you cannot really ask for assistance", which forum as you using/
The s3 forum is at:
https://forums.aws.amazon.com/forum.jspa?forumID=24&start=0
and in fact, someone has already started a thread about this here:
https://forums.aws.amazon.com/thread.jspa?threadID=74701&tstart=0
Might be worth following.
maryloutyler
Member
Posted 9 months ago #
I was looking at the Windows on Amazon EC2 Security Guide in the Articles and Tutorials section (one of the links that showed up when I googled AWS security issue how to fix). That particular page was not accepting comments.
Thanks for providing the links. I'll keep watch today. Marylou
sOliver
Member
Posted 9 months ago #
I wrote a how-to for you guys: Amazon S3 Bucket Policy Fix
You need to remove the "List" permission from grantee Everyone as pointed out by digitaltoast
sOliver
Member
Posted 9 months ago #
I will rethink the default policies.
