AWS S3 Access Point modified to allow public access
Description
AlphaSOC detected that an Amazon Simple Storage Service (S3) access point was configured to allow public access. S3 access points provide named network endpoints with dedicated access policies to manage data access to shared datasets. Configuring these access points for public access may bypass intended security restrictions and potentially expose data beyond the organization's boundaries. This configuration could result from misconfiguration or, in some cases, may indicate an attempt to modify access controls.
Impact
Public S3 access points create security risks by potentially exposing data to unauthorized access. Adversaries could leverage these access points to bypass bucket-level permissions and access information stored in S3 buckets. This exposure may lead to data breaches, regulatory compliance violations, and potential reputational damage to the organization, depending on the sensitivity of the exposed data.
Severity
| Severity | Condition |
|---|---|
Low | AWS S3 access point public |
Investigation and Remediation
Use the AWS Console or CLI to identify the affected S3 access point, its configuration, and the associated bucket. Review AWS CloudTrail logs to determine when, by whom, and how the access point was configured for public access. Modify the access point settings to remove public access and implement appropriate access point policies. Review S3 access logs and CloudTrail events for any unauthorized access or data retrieval during the exposure period. Consider enabling S3 Block Public Access at both the account and bucket levels to prevent future exposures. Set up AWS CloudWatch alerts and AWS Config rules to detect and notify security teams of public access point configurations.