New S3 bucket hacked

Question

Hi. New to AWS, created an S3 bucket and did no turn off public access. Someone dumped thousands of files in there.

What can I do (aside from turn off public access (done) and delete the files?

Joe

secondabhi_aws · Answer

Absolutely, you should follow s3 best practices as suggested here previously, as first aid, add following bucket policy immediately to deny access to everyone:

1. Navigate to S3 service from management console
2. Click on the bucket
3. Go to **Permissions** tab
4. Scroll down, go to **Bucket policy** and then click edit
5. In the policy, add following policy
   
       {
         "Statement": [
           {
             "Effect": "Allow",
             "Principal": {
               "AWS": ""
             },
             "Action": [
               "s3:*"
             ],
             "Resource": [
               "arn:aws:s3:::bucket_name",
               "arn:aws:s3:::bucket_name/*"
             ]
           },
           {
             "Effect": "Deny",
             "NotPrincipal": {
               "AWS": ""
              },
             "Action": [
               "s3:*"
             ],
             "Resource": [
               "arn:aws:s3:::bucket_name",
               "arn:aws:s3:::bucket_name/*"
             ]
           }
         ]
       }

6. Click **Save changes**

This would deny everyone to access the bucket, once done then go to [S3 Best Practices](
https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html) and see how you could avoid this situation to keep security of the bucket tight.

Riku_Kobayashi · Answer

If the S3 bucket is not needed, it may be deleted.  
If still in use, setting up an S3 access log may help identify when unauthorized access has occurred.  
Also, the following document describes best practices for S3, so consider following best practices.  
https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html

New S3 bucket hacked

Add your answer

Relevant content