CP
cyberpings

Anonymous S3 Requests - Evading AWS Logging Exposed

Varonis Threat Labs revealed that anonymous S3 requests can bypass AWS logging, leaving organizations vulnerable. AWS has since updated CloudTrail to log these requests. This change is crucial for enhancing security and visibility in cloud environments.

Cloud SecurityHIGHUpdated: Published:
Featured image for Anonymous S3 Requests - Evading AWS Logging Exposed

Original Reporting

VAVaronis Blog·Maya Parizer

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, some requests to AWS storage can happen without being logged, making it hard to track bad activity.

What Happened

Varonis Threat Labs (VTL) discovered a significant vulnerability in AWS that allows anonymous requests to S3 buckets to evade logging in CloudTrail Network Activity events. This means that even if a bucket's permissions deny anonymous access, there are no logs indicating any such requests. In some instances, there were no logs at all, posing a severe risk to organizations.

How the Attack Works

When an attacker uses anonymous access within a Virtual Private Cloud (VPC) to access data from a bucket, the requests can trigger logs in the account. However, if the attacker accesses an external bucket, no events are logged at all. This lack of visibility allows attackers to interact with public buckets without detection. The absence of logs means that security teams cannot trace back any suspicious activity, leaving organizations vulnerable to data breaches.

AWS’ Response

In response to this vulnerability, AWS collaborated with Varonis to update CloudTrail's logging behavior. Now, all anonymous API requests made to external S3 buckets via VPC endpoints are logged as CloudTrail network activity events. This update aims to enhance visibility and security for VPC endpoint owners, ensuring that unauthorized access attempts can be detected.

Mitigation Strategies for Evasive Attacks

To protect against these evasive attacks, organizations should consider the following strategies:

  1. Restrict VPC Endpoint Policies: Apply the principle of least privilege to VPC endpoint policies, explicitly denying anonymous access.
  2. Audit Bucket Policies Regularly: Identify and remediate overly permissive bucket policies to minimize exposure.
  3. Enable Alerts on Policy Changes: Set up notifications for any changes to VPC endpoint or bucket policies to stay informed of potential risks.

Conclusion

The discovery of this vulnerability highlights the importance of robust logging practices in cloud environments. Without proper logging, organizations may remain unaware of unauthorized access, leading to potential data loss. By implementing the recommended strategies and utilizing AWS's updated logging features, organizations can better protect their data and maintain a secure cloud environment.

🔒 Pro Insight

🔒 Pro insight: The lack of visibility into anonymous requests underscores the need for stringent logging and monitoring in cloud infrastructures.

Share

Related Pings

Preview image for Making Cyberattacks Harder - Microsoft’s New Security Approach
Cloud Security
HIGH

Making Cyberattacks Harder - Microsoft’s New Security Approach

Microsoft is enhancing security for its Dynamics 365 and Power Platform. By eliminating credentials and reducing attack surfaces, they're making it harder for opportunistic cyberattacks. This proactive approach is crucial for protecting users and data.

MSMicrosoft Security Blog
Read PingRead Source
Preview image for Backup Myth - Why BCDR is Essential for Businesses
Cloud Security
HIGH

Backup Myth - Why BCDR is Essential for Businesses

Businesses are at risk from downtime beyond data loss. A strong BCDR strategy is essential to keep operations running and protect revenue during disruptions.

BCBleepingComputer
Read PingRead Source
Preview image for Wiz Code Secures CI/CD Pipelines Against Supply Chain Attacks
Cloud Security
HIGH

Wiz Code Secures CI/CD Pipelines Against Supply Chain Attacks

Wiz Code has launched to secure CI/CD pipelines against rising supply chain attacks. This new feature enhances visibility and control over build environments, crucial for safe software delivery. With attackers targeting these systems, Wiz Code helps teams identify and mitigate risks effectively.

WIWiz Blog
Read PingRead Source
Preview image for Microsoft Teams - Service Update Causes Launch Failures, Rollback Underway
Cloud Security
HIGH

Microsoft Teams - Service Update Causes Launch Failures, Rollback Underway

Microsoft has rolled back a recent update that caused launch failures for Teams desktop users. Affected users need to manually restart the application to apply the fix.

BCBleepingComputer+1 more
Read PingRead Source
Preview image for EU Cloud Sovereignty Initiative - €180 Million Awarded
Cloud Security
MEDIUM

EU Cloud Sovereignty Initiative - €180 Million Awarded

The EU is investing €180 million in cloud services to strengthen digital sovereignty. Four providers were selected to ensure compliance with EU standards. This initiative aims to diversify cloud services and reduce reliance on non-EU providers.

HNHelp Net Security
Read PingRead Source
Preview image for Shared Dictionaries - Enhancing Web Compression Efficiency
Cloud Security
MEDIUM

Shared Dictionaries - Enhancing Web Compression Efficiency

Cloudflare is rolling out shared dictionaries to enhance web compression. This innovation helps reduce bandwidth and speeds up page loading times. With growing web sizes, this is a game changer for efficiency.

CFCloudflare Blog
Read PingRead Source