AWS S3 Buckets: Visible endpoint

Although not a literal secret, the Amazon S3 Bucket URL should be kept confidential, stored safely and not hardcoded.

Since every bucket or object is potentially accessible from anywhere, with the right settings allowing public access a bucket or object can be open to the world. This is where the security risk lies.

Even if an endpoint is opaque, it still is a network surface of attack. For example, what can be seen as a secure host today, is a vulnerable host tomorrow, given that an exploit has been found (many times 0-day).

Social engineering can be performed more effectively, if the hacker knows an internal detail about your organization, such as an S3 Bucket.

Problem

AWS S3 Bucket endpoint is hardcoded or exposed in configuration files, infrastructure code, or business services.

Fix

Infrastructure

1. Use key-value store, for distributing configurations to you environments, such as:
   1. Consul
   2. etcd

Architecture

1. Prefer a 12-factor architecture

See

• CWE 1051 on Hard-Coded Network Resource Configuration Data
• Secure Amazon S3 Bucket