S3 configuration is awful, full stop. It’s not just that the interface is a disaster and configuration options are full of jargon and access rules are written in JSON.<p>The problem is that for someone who only periodically uses S3, I’m lost. I’m not lost in other services…Cloudflare, Firebase, Mailgun, and dozens of others somehow manage to allow people to use their service without so much agony.<p>I’m almost positive my S3 bucket is misconfigured because of how absurdly complex it is.<p>If you disagree and have spent more than 200 hours working within S3 I submit that it’s because you’re just an expert. I shouldn’t need a certification to upload files and retrieve them securely.
This does a great job of highlighting why properly configuring infrastructure is hard: S3 buckets (one of the most simple cloud infra services) have 70 configuration options.<p>Imagine you're a junior dev and your manager says "just spin up an S3 bucket and drop the data there, and make sure your app can access it".<p>S3 does have some sensible defaults, but a lot of Terraform modules do not...imagine somebody who now has to decipher S3's basic properties, ACLs, IAM, etc.
This is just a list of 'how to do x with awscli [and if the bucket allows unauthenticated users to do x then you will get a result]'.<p>Unless I'm missing something there's nothing particularly.. interesting or thought out here? May as well read the docs for available s3/s3api operations - there's more!
The article is a lengthy discussion of something simple.
1) use a proxy or VPN
2) write a bucket guesser in python (use your imagination)
3) run this <a href="https://github.com/sa7mon/S3Scanner">https://github.com/sa7mon/S3Scanner</a>
Now you have list/read/write status info +/- existence per S3 scanner.<p>There, see? Didn't need a whole article.
The interesting thing is, most people wouldn't do the same things (say, chmod 777 all the things) on a public NAS.<p>If this assumption is true, it begs the question. Why do people act like public cloud storage is more secure than "private", on prem storage?<p>Do users expect safe defaults (as in, "default deny")?<p>Is it just a matter of attitude, where people think public cloud is more secure because it's not managed by (potentially short-staffed) corporate IT teams, even if it's not completely managed by the cloud provider?<p>Or is there something else?
In 2018 I added S3 bucket monitoring to my SaaS, Cronitor.io but we eventually retired it because AWS seems mostly to have solved this.<p>It’s hard in the console to make buckets public, it’s obvious when they are, and Amazon sends emails about public buckets just in case you’re not using the console.
Hah I've had some fun with this, and even submitted bug reports that were never looked at.<p>I have like the worlds largest collection of license plate photos now. :)
Thinking about creating intentionally misconfigured buckets with encrypted files that look like they have valuable stuff so the hackers waste tons of resources decrypting them only to see they are worthless
I realize probably many (most?) people open this site on a mobile device, and the design is optimized for that. Still, does it bother anyone that on a desktop monitor, less than a third of the horizontal width is used for content?