Security by default: account-namespaced s3 buckets
2025-02-12
watchTowr’s vulnerability report on Amazon’s s3 implementation captured a lot of attention. Major governments, militaries, universities and corporations were all shown to pull from hijacked buckets in AWS’s globally namespaced s3 infrastructure.
The vulnerability is easy to showcase.
Create a bucket in one account. Upload some important library code. Have your partners and customers pull from it.
$ s3cmd -c .aws-account1 mb s3://artifacts $ s3cmd -c .aws-account1 put update.dll s3://artifacts
If that bucket is ever removed, another account can create a bucket with the same name and upload poisoned artifacts there.
$ s3cmd -c .aws-account1 rb s3://artifacts $ s3cmd -c .aws-account2 mb s3://artifacts $ cp malware.dll update.dlll $ s3cmd -c .aws-account2 put update.dll s3://artifacts
If you’re on AWS, there’s no fix or patch, short of never deleting any bucket ever created.
Entrywan’s s3 implementation has buckets that are namespaced by account. That avoids this vulnerability completely, and has a couple of additional privacy and easy-of-use benefits:
First, your bucket naming scheme isn’t leaked to the rest of the world. If you had a naming scheme like “customer-adidas-shared-documents”, an adversary with knowledge of this naming scheme wouldn’t be able to brute force your entire customer list.
Second, you’re able to create easy to remember names for buckets, without worrying that they’ve already been taken by another customer.
Happy bucket naming!