Support Automation Workflow (SAW) Runbook: Contain a compromised AWS S3 Bucket
In the event of a security incident or suspected compromise involving an Amazon Simple Storage Service (Amazon S3) bucket, it is critical to swiftly isolate the affected resource while preserving its contents for forensic analysis and investigation. The AWSSupport-ContainS3Resource runbook provides a structured approach to contain an S3 bucket or specific object(s) within it, effectively blocking unauthorized access while maintaining the data integrity for further examination.
In this article, I will show you how to use the AWSSupport-ContainS3Resource, AWS Systems Manager automation runbook to execute a reversible network containment procedure for an Amazon Simple Storage Service (Amazon S3) bucket. This runbook allows you to quickly isolate a potentially compromised or suspicious S3 bucket while preserving its contents for further investigation.
Learn more about Support Automation Workflows >>
Disclaimer
- Use of Elevated Privileges: This runbook performs various operations that require elevated privileges, such as modifying S3 bucket policies, tags, and public access configurations. These actions could potentially lead to privilege escalation or impact other workloads that depend on the targeted S3 bucket. You should review the permissions granted to the role specified by the 'AutomationAssumeRole' parameter and ensure they are appropriate for the intended use case. You can refer to the following AWS documentation for more information on IAM permissions:
- Workload Unavailability Risks: This runbook performs mutative actions that could potentially cause unavailability or disruption to your workloads. Specifically, the 'Contain' action blocks all access to the specified S3 bucket, except for the roles specified in the 'SecureRoles' parameter. This could impact any applications or services that rely on the targeted S3 bucket.
- Creation of Additional Resources: During the 'Contain' action, this runbook may create an additional S3 bucket (specified by the 'BackupS3BucketName' parameter) to store the backup of the original bucket's configuration, if it does not already exist.
- Restoration Risks: If the 'Action' parameter is set to "Restore", this runbook attempts to restore the S3 bucket's configuration to its original state based on the backup stored in the 'BackupS3BucketName' bucket. However, there is a risk that the restoration process may fail, leaving the S3 bucket in an inconsistent state. The runbook provides instructions for manual restoration in case of such failures, but you should be prepared to handle potential issues during the restoration process.
It is recommended to review the runbook thoroughly, understand its potential impacts, and test it in a non-production environment before executing it in your production environment.
How it works?
- For S3 General Purpose Bucket
Containment
: The automation blocks public access to the bucket, disables ACL configuration, enforces Bucket Owner Object ownership, and puts a restrictive bucket policy denying all S3 actions to the bucket except for allow listed IAM Roles. - For S3 General Purpose Object
Containment
: The automation blocks Public Access to bucket, disables ACL configuration, enforces Bucket Owner Object ownership, and puts a restrictive bucket policy denying all S3 actions on the object except for allow listed IAM Roles. - For S3 Directory Bucket
Containment
: The automation puts a restrictive bucket policy denying all S3 actions to the bucket except for allow listed IAM Roles. - For S3 General Purpose Bucket
Restore
: The automation restores the Block Public Access configuration, Bucket ACL configuration, Bucket Owner Object ownership and Bucket Policy to the initial configuration prior to containment. - For S3 General Purpose Object
Restore
: The automation restores the Block Public Access configuration, Bucket ACL configuration, Object ACL Configuration, Bucket Owner Object ownership and Bucket Policy to the initial configuration prior to containment. - For S3 Directory Bucket
Restore
: The automation restores the bucket policy to the initial configuration prior to containment.
The runbook execution will display the appropriate output message - containFinalOutput.Output
, restoreFinalOutput.Output
, containS3BucketDryRun.Output
, restoreS3BucketDryRun.Output
, reportContainmentFailure.Output
, or reportRestoreFailure.Output
- depending on the action taken (Contain or Restore), whether it's a DryRun, and the overall automation status.
Required IAM permissions
The AutomationAssumeRole parameter requires the following permissions to successfully use the runbook:
Non-Mutating Actions:
- s3:GetAccountPublicAccessBlock
- s3:GetBucketAcl
- s3:GetBucketLocation
- s3:GetBucketOwnershipControls
- s3:GetBucketPolicy
- s3:GetBucketPolicyStatus
- s3:GetBucketTagging
- s3:GetEncryptionConfiguration
- s3:GetObject
- s3:GetObjectAcl
- s3:GetObjectTagging
- s3:GetReplicationConfiguration
- s3:ListBucket
- s3express:GetBucketPolicy
- ssm:DescribeAutomationExecutions
Mutating Actions:
- s3:CreateBucket
- s3:DeleteBucketPolicy
- s3:DeleteObjectTagging
- s3:PutAccountPublicAccessBlock
- s3:PutBucketACL
- s3:PutBucketOwnershipControls
- s3:PutBucketPolicy
- s3:PutBucketPublicAccessBlock
- s3:PutBucketTagging
- s3:PutBucketVersioning
- s3:PutObject
- s3:PutObjectAcl
- s3express:CreateSession
- s3express:DeleteBucketPolicy
- s3express:PutBucketPolicy
Instructions
- Navigate to the AWSSupport-ContainS3Resource in the AWS Systems Manager console.
- Click on Execute automation.
- For the input parameters enter the following:
- BucketName (Required): The bucket on which you want to execute contain or restore workflow.
- S3ObjectPath (Optional): A specific object in the bucket that you want to contain or restore. The bucket policy will be modified to deny access only to this object while retaining existing policy configuration to the bucket.
- Action (Optional): Contain will instruct the automation to isolate the S3 bucket and Restore will restore the bucket to its original configuration. Default action is
Contain
. - DryRun (Optional): When set to True, the automation will not execute any mutative commands, instead will report on what it would have attempted to do, detailing out each step. Default value is
True
. - TagIdentifier (Optional): Tag the resources with a tag of your choice using the format:
Key=Foo
,Value=Bar
. This option allows you to track the buckets that have been targeted by this runbook. Note: Tag keys and values are case-sensitive. This is applicable only for General Purpose Buckets. - SecureRoles (Optional): The Amazon Resource Names (ARN) of the AWS Identity and Access Management (IAM) roles that will still be allowed access to the bucket after containment. This parameter is required when Action is
Contain
. - BackupS3BucketName (Required): S3 bucket to upload the configuration when Action is Contain or to restore the configuration when Action is Restore. This parameter is required when Action is
Restore type
. - S3PrefixName (Optional): Amazon S3 path to restore the S3 bucket configuration. This parameter is required when Action is
Restore type
. - AutomationAssumeRole (Optional): The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
The following example demonstrates how to use the AWSSupport-ContainS3Resource automation runbook to contain an S3 bucket present in the AWS account.
-
Click on Execute.
-
You should see that the automation has been initiated.
-
Document will perform the following steps:
validateRequiredInputs
- Validates input parameters required to continue execution of runbook.assertBucketExists
- Asserts S3 bucket exists and is accessible.backupBucketPreChecks
- Checks if the target Amazon S3 potentially grants public read or write access to its objects.backupTargetBucketMetadata
- Describes the current configuration of the source S3 bucket and uploads the backup to the specified backup S3 bucket.containBucket
- Performs bucket level operations to contain the source S3 bucket.containFinalOutput
- Consolidates containment activity in readable format.
-
Once completed, you can review the Outputs section to see a summary of the S3 bucket's initial and final configuration.
Conclusion
In this article, I demonstrated how to contain a compromised S3 Bucket using AWSSupport-ContainS3Resource, available in the AWS System Manager.
References
Systems Manager Automation
Running a simple automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-working-executing.html
Setting up Automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html
Documentation related to the AWS service
For more information how to run this runbook, please see the AWS public document: AWSSupport-ContainS3Resource
To help you troubleshoot, remediate, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the AWS provided predefined runbooks . These runbooks are prefixed with “AWSSupport-“ or “AWSPremiumSupport-“.
Relevant content
- asked 2 months agolg...
- asked 2 years agolg...
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago