Chef Blogs

Don’t Leave Your S3 Buckets Wide Open

Mandi Walls | Posted on | Chef InSpec | compliance

IT security can feel like an endless war against the unknown.

Especially when your big old comfortable monolith with one access point gets spread out into a million small microservice pieces all over the place. Securing distributed systems is a challenge that requires constant vigilance and attention to detail. 

It’s more than a single person (and often a team of people) can keep in their heads. Your team needs a place to create, store, and share your security configurations so they can be applied and tested against as often as possible, regardless of where your services are running.

An easy place to miss security is in your cloud accounts. Powerful cloud provider tools give your team immense flexibility to get work done in so many ways, but you also need to keep track of what is going where and who has access to it. 

AWS S3 buckets are an excellent tool for holding and sharing data in the cloud. You might have any number of files and assets pushed to buckets that your users and staff can access, or might be used by your other applications that live in the cloud. But S3 buckets are like any other infrastructure component: they need to be secured. 

In this article from UpGuard, their research team talks about finding unsecured S3 buckets containing information that really shouldn’t have been out in the wild, like passwords and system information.

Digging around in the AWS GUI to ensure your S3 buckets aren’t available to the world is one way to ensure you’re ok, but you can also programmatically add your buckets to your Chef InSpec profiles to prevent inadvertently losing control of your data.  Chef InSpec includes a large collection of resources for testing in the cloud. Let’s take a look at one, aws_s3_bucket.

This resource can help you keep track that an entire S3 bucket secure. In your Chef InSpec profile, add a resource test like:

describe aws_s3_bucket(bucket_name: 'secrets-bucket') do

  it {should exist }

  it {should_not be_public }

end

Run your Chef InSpec profile as often as meets your needs to make sure no one has changed the permissions or security settings on your bucket. Keep those secrets secret.

By proactively building these checks into your profiles, Chef InSpec can help you ensure security settings on other resources as well! Check it out at https://www.chef.io/products/chef-inspec/.

For more information on securing S3 buckets and more AWS assets with Chef InSpec, see Learn Chef Rally our training module, Secure AWS Resources with Chef InSpec