Good evening all, I received an email from Amazon AWS making me aware that I have some S3 Buckets that were are made public. As you and I know I do have some buckets that are suited for web hosting setups that actually power my website here. Well Amazon kindly made me aware of this in the following message below. I felt it was important to mention as they did, do not make you buckets PUBLIC if you do not wish others to view their content.

Message from Amazon AWS:

Hello,

We’re writing to notify you that your AWS account XXXXXXXXX has one or more S3 buckets that allow read or write access from any user on the Internet. By default, S3 buckets allow only the account owner to access the contents of a bucket; however, customers can configure S3 buckets to permit public access.

Unless you have a specific reason (such as hosting a public website) for this configuration, we recommend that you update your bucket and restrict public access. Your list of buckets configured to allow access by anyone on the Internet as of August 9, 2019 are:

(Here would be a list of all your public buckets)

If you did not intend to provide public access to this bucket then you should take immediate action by enabling S3 Block Public Access [1] on this bucket. This feature is free of charge and it only takes a minute to enable. For step by step instructions on setting up S3 Block Public Access via the S3 management console, see Jeff Barr’s blog [2]. Once you’ve locked down your bucket, we recommend checking for past unintended access to your bucket per the instructions below on analyzing logs.

For more information on S3 Block Public Access, check out the video tutorial on Amazon S3 Block Public Access [3]. For AWS’s definition of “Public Access,” please see The Meaning of “Public” [4].

If you are not sure about enabling S3 Block Public Access on a bucket because of its potential impact on existing usage, see the instructions below on analyzing logs to figure out what users are making calls against your S3 bucket. 

If you have a business need to maintain some level of public access, please see Overview of Managing Access [5] for more in-depth instructions on managing access to your bucket to make sure you’ve permitted the correct level of access to your objects. We recommend that you make changes in accordance with your operational best practices. If you want to analyze activity to your bucket in order to understand how it is being accessed, please see the instructions below.

We’ve published a guide to investigating access to objects in your bucket using AWS CloudTrail Data Events [6] and Server Access Logs [7]. Please follow the steps in this guide to ingest your logs into Amazon Athena and query them. Once your queries complete, review the results for GetObject, PutObject, or other API calls to determine current usage of your bucket as well as detect unexpected or unauthorized IP addresses/requesters. If you have not enabled logging for your bucket, you can find more information at enabling Server Access Logs [8] or enabling AWS CloudTrail Data Events [9]. Once logging is enabled, you can use the queries described above to analyze access to objects in your bucket after allowing enough time for new requests to show up.

If you would like more information about policy configuration in S3, please refer to these resources:

Managing Access in Amazon S3: https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-managing-access-s3-resources.html
S3 Security Best Practices: https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html

Please feel free to contact us with any questions you may have on the forum[10]. If you believe you have received this message in error or if you require technical assistance, open a support case[11]. 

[1] https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
[2] https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/
[3] https://aws.amazon.com/s3/features/block-public-access/
[4] https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status
[5] https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html#access-control-resources-manage-permissions-basics
[6] https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-request-identification.html
[7] https://docs.aws.amazon.com/AmazonS3/latest/dev/using-s3-access-logs-to-identify-requests.html#using-s3-access-logs-to-identify-objects-access
[8] https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overview
[9] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html#logging-data-events-with-the-cloudtrail-console
[10] https://forums.aws.amazon.com/forum.jspa?forumID=24
[11] https://aws.amazon.com/support

Sincerely,
Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210

Conclusion:

Well this came at a great time since we have been going though some beginner series of how to create an Amazon S3 Bucket, Configure the Amazon S3 Command, and how to push files, and pull them to your Amazon S3 Bucket. Have a great weekend everyone!