The Best Way to Tackle Wide Open Buckets in AWS — CloudWatch and Lambda

VirClop
VirClop, Your Own Virtual Cloud Operator
3 min readOct 25, 2018

We all have heard about the wide open bucket sagas on AWS. They are one of the primary causes for data leaks in AWS.

Basically because the organization wants to run fast, they forget to change the policy on a S3 bucket to a prod ready policy, and keep it open as wide open. Open source scanners out there will find those buckets and your reputation is ruined.

There are several ways to tackle this.

  • Run a scan every few hours to find open buckets in your environment . The problem with that approach is that the buckets are already open for a few hours, and your reputation is ruined already
  • Trust that the the engineering team would make use of the tools that are provided by the cloud service provider (such as Trusted Advisor, which is not real time) and the little orange colored notice that appears on the UI about open buckets (which engineering team wont notice because they do not login to to things)

Is there a solution that real time intercepts a change a change to a S3 bucket real time, analyzes the policy in the change for a public open bucket and informs the security team to act on it (or delete the bucket right away) ?

There is and its very easy to implement. There are two parts to the solution

  1. Intercept change API calls on S3
  2. Route those calls to a Lambda function to analyze

Intercept change API calls on S3

  • Create a cloudwatch rule on S3 service with all S3 event types that would make a change to the bucket aka Put calls
  • Put a function as a target (see the next section about the function)

Analyze the policy for Wide Openness

An event that would create open buckets would look like the below

{'version': '0', 'id': 'da69ccaf-2a3a-a56f-e313-0e3629a90e18', 'detail-type': 'AWS API Call via CloudTrail', 'source': 'aws.s3', 'account': 'xxxx', 'time': '2018-10-25T19:43:13Z', 'region': 'us-east-1', 'resources': [], 'detail': {'eventVersion': '1.05', 'userIdentity': {'type': 'Root', 'principalId': '833730960164', 'arn': 'arn:aws:iam::xx:root', 'accountId': 'xxx', 'accessKeyId': 'xxxx', 'sessionContext': {'attributes': {'mfaAuthenticated': 'false', 'creationDate': '2018-10-25T19:29:49Z'}}, 'invokedBy': 'signin.amazonaws.com'}, 'eventTime': '2018-10-25T19:43:13Z', 'eventSource': 's3.amazonaws.com', 'eventName': 'PutBucketAcl', 'awsRegion': 'us-east-1', 'sourceIPAddress': 'xxx', 'userAgent': 'signin.amazonaws.com', 'requestParameters': {'bucketName': 'bucketname', 'AccessControlPolicy': {'AccessControlList': {'Grant': [{'Grantee': {'xsi:type': 'CanonicalUser', 'DisplayName': 'venkat', 'xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance', 'ID': 'fdcf4ef234e2682cd2697585091a998969932ca9557f127bc6c1adde807a9a82'}, 'Permission': 'FULL_CONTROL'}, {'Grantee': {'xsi:type': 'Group', 'xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance', 'URI': 'http://acs.amazonaws.com/groups/global/AllUsers'}, 'Permission': 'READ'}]}, 'xmlns': 'http://s3.amazonaws.com/doc/2006-03-01/', 'Owner': {'DisplayName': 'xx', 'ID': 'fdcf4ef234e2682cd2697585091a998969932ca9557f127bc6c1adde807a9a82'}}, 'acl': ['']}, 'responseElements': None, 'additionalEventData': {'vpcEndpointId': 'vpce-xx'}, 'requestID': 'B5B5050F08482994', 'eventID': '0acbc6f7-ad0b-4f1b-bfeb-df8b6baff0f4', 'eventType': 'AwsApiCall', 'vpcEndpointId': 'vpce-xx'}}

So you want to catch the AllUsers permission in grants. For that, create a lambda function that has the following handler.

lambda_handler(event, context):
if "AllUsers" in str(event[‘detail’][‘requestParameters’]['AccessControlPolicy']['AccessControlList'][Grant']
print ("Permission given to all Users")

As simple as that.

You can solve much of the use cases involving security monitoring use cases using serverless infrastructures such as above.

PS : If you some one else to take away the problem for you and support the above use case and get an alert right into Slack, visit www.virclop.com

Cloud security with the speed of serverless and convenience of Slack :

Add VirClop, your own cloud operator to Slack

--

--