Hacking S3

S3

S3 is a cloud object storage service in AWS that allows users to save and upload files on a cloud storage. S3 bucket comprises of objects and can accomodate unlimited number of objects.

There can be 2 types of S3 bucket:-

• Public - There are no restrictions and they can be accessed by anyone on internet

• Private - Only permitted users can access the bucket. Access to private bucket are governed by "Bucket Policy" of bucket.

You can access Public S3 bucket by visiting https://<bucketname>.s3.amazonaws.com .

S3 Permissions

• GetObject : This permission indicates that user can download a predefined object from S3 bucket.

• PutObject : This permission indicates that user can upload an object to S3 bucket.

S3 Access Controls

Access control in S3 can be done either via Bucket Policy or legacy ACL (Access Control List). Bucket policy takes priority over ACL for any bucket.

Bucket Policy

Bucket policy for a S3 bucket are applied at bucket level i.e they are applied at the whole bucket. These are recommended by AWS for access control over S3 bucket.

Example bucket policy:-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement3",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::584358494719:user/BucketRead"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::securitylabs-article/flag.txt",
                "arn:aws:s3:::securitylabs-article/note.txt"
            ]
        }
    ]
}

The following bucket policy has following properties:-

• Effect : Allow here indicates that bucket policy indicates that, if access is granted, the user will be ALLOWED to perform the Action associated with the policy i.e GetObject. If Effect was Deny then it would mean that if access is granted, the user will be DENIED to perform the Action associated with the policy i.e GetObject.

• Principal : Principal here indicates the source ARN associated with the policy. Here arn:aws:iam::584358494719:user/BucketRead indicates that user BucketRead is the one associated with this policy who is being given access.

• Action here indicates what exactly is the permission given to the Principal on the Resource. Here s3:GetObject permission indicates that BucketRead user is allowed to perform GetObject operation on the bucket.

• Resource here indicates the object in S3 bucket on which policy is applied. In this case arn:aws:s3:::securitylabs-article/note.txt and arn:aws:s3:::securitylabs-article/flag.txt indicates that user BucketRead will be given GetObject on note.txt and flag.txt files in bucket called securitylabs-article.

ACL (Access Control List)

Access Control List are the legacy way of having access control on bucket. ACL provide control over both bucket and its objects.

The above is the ACL on the securitylabs-article bucket.

① - This indicates Object ACL. Since both List and Write are selected then this indicates that Bucket owner can Read and Write the objects in the bucket. ② - This indicates bucket ACL which means that bucket owner can edit ACL of the bucket and read the ACL of the bucket as shown in the screenshot above. ③ - This indicates the List permission on all objects in the bucket. If this was enabled, then it would mean that Everyone i.e internet can list all objects in the bucket without authenticating. ④ - This indicates the Read permission for bucket ACL. If enabled, then it would mean that Everyone i.e internet can view the ACL of the bucket without authenticating.

Object Versioning

Versioning in S3 bucket allows users to keep multiple version of same object. In layman terms, this means you can upload multiple objects with same name without overwriting the original object. AWS would store all the uploaded objects as different versions of the original object.

The above screenshot indicates 2 versions of same note.txt object. VersionID sShYGYWi.sfoOVA1SfQoiy6HEXSf2RXw is the recently uploaded object which became the default version while VersionID f_9JJNeIsyYBjHTbU0eoPNZYd.CE8Y.K is the original uploaded object. AWS has saved both the version as a way for us to download the original object as well as the recent object. This can be a sometimes interesting since we might be able to get something interesting in old versions :)

Querying Version Objects from Internet

To query a particular VersionID of object from a publicly accessible bucket, you just need to pass parameter called versionId with the GET request to query the old version object.

If out bucket securitylabs-articles was publicly accessible, then one could download the previous old version of note.txt by knowing the versionId beforehand.

curl 'http:/securitylabs-articles.s3.amazonaws.com/note.txt?versionId=f_9JJNeIsyYBjHTbU0eoPNZYd.CE8Y.K'

Event Notification

Event notification enables users to configure a action if a particular event takes place in the S3 bucket.

For instance, the above screenshot indicates that for any PUT event a Lambda function called securitylabs-lambda is triggered. This means that if any file is uploaded to S3 bucket, this would cause the lambda to be triggered.

This helps to automate processing, parsing of objects and various other use cases upon their upload in S3 bucket.