How to spot and troubleshoot AWS S3 bucket object traversal issues
Introduction
The object traversal issue in AWS S3 buckets is a common problem that can be caused by two main reasons: incorrect ACL (Access Control List) configurations and incorrect policy configurations. In the following sections, we will provide a detailed explanation of how to detect and prevent these misconfigurations.
Introduction to Object Traversal Issue
Let's consider a storage bucket where, upon opening it, we can see the following content:
As we can observe, the bucket directly lists the files it contains, indicating the presence of an object traversal issue. Now, let's delve into why this issue occurs.
1. Incorrect ACL Configuration
When the ACL of a storage bucket is configured to provide "List" permissions to everyone, it results in an object traversal problem.
2. Incorrect Policy Configuration
In addition to ACL misconfigurations, incorrect policy configurations can also lead to the same problem. Here's an example of a policy with an erroneous configuration:
{
"Version": "2012-10-17",
"Id": "test",
"Statement": [
{
"Sid": "test",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::selefra-test-xxxx"
}
]
}
In this policy, all users are granted "s3:ListBucket" permissions for the "selefra-test-xxxx" bucket, which also leads to object traversal issues.
Fixing the Object Traversal Issue
To fix the issue caused by ACL misconfiguration, it is sufficient to uncheck the "List" option for "Everyone." For incorrect policy configurations, it is recommended to follow the principle of least privilege, granting specific permissions to designated users instead of providing access to all users.
Quickly Discovering Object Traversal Issues Using Selefra
Manually identifying these problems can be time-consuming and difficult to perform in bulk. Selefra can assist in quickly detecting these risks.
Selefra Project Repository: github.com/selefra/selefra
Regular Usage of Selefra
Let's start by installing Selefra:
brew tap selefra/tap
brew install selefra/tap/selefra
Next, create a new project folder:
mkdir selefra-test
cd selefra-test
Copy the following YAML file into this folder:
selefra:
name: selefra-test
connection:
type: postgres
username: your_username
password: your_password
host: 127.0.0.1
port: 5432
database: postgres
sslmode: disable
log_level: info
providers:
- name: aws
source: aws
version: v0.1.0
providers:
- name: aws
provider: aws
cache: 7d
rules:
- name: bucket_object_traversal_by_policy
metadata:
title: S3 bucket object traversal by policy
query: |-
SELECT
DISTINCT(a1.*)
FROM
aws_s
3_buckets a1,
json_array_elements(a1.policy :: json -> 'Statement') a2
WHERE
(
a2 ->> 'Action' = 's3:ListBucket'
OR a2 ->> 'Action' = 's3:List*'
OR a2 ->> 'Action' = 's3:*'
)
AND a2 ->> 'Effect' = 'Allow'
AND (
a2 ->> 'Principal' = '*'
OR a2 -> 'Principal' ->> 'AWS' = '*'
)
AND right(substring(a2 ->> 'Resource', -2), 2) <> '/*' ;
output: "S3 bucket object traversal by policy, arn: { {.arn} }"
- name: bucket_object_traversal_by_acl
metadata:
title: S3 bucket object traversal by acl
query: |-
SELECT
DISTINCT(a1.*)
FROM
aws_s3_buckets a1,
aws_s3_bucket_grants a2
WHERE
a1.selefra_id = a2.aws_s3_buckets_selefra_id
AND a2.grantee :: jsonb ->> 'URI' = '<http://acs.amazonaws.com/groups/global/AllUsers>'
AND a2.permission IN ('READ', 'FULL_CONTROL');
output: "S3 bucket object traversal by acl, arn: { {.arn} }"
This configuration consists of three modules: "selefra," "providers," and "rules." Under the "selefra" module, configure your PostgreSQL database connection details in the "connection" block. The "providers" module includes the AWS provider and its cache duration. The "rules" module contains the configurations related to the detection rules. The "title" field represents the title of the detection strategy, and the "query" field contains the SQL query used to execute the detection strategy by querying the database for at-risk resources.
Before starting the detection, configure your AWS credentials using the following command:
aws configure
Then, run the following command to execute Selefra:
selefra apply
Selefra will initiate the detection process, and you will receive results similar to the example below:
In the results, you can identify the at-risk storage buckets. In addition to the above method, Selefra also integrates the chatGPT feature, allowing you to discover risk points by directly querying Selefra.
Selefra's GPT Feature
Similar to the previous steps, create a new folder and copy the following YAML file into it:
selefra:
name: selefra-test
connection:
type: postgres
username: yourusername
password: yourpassword
host: 127.0.0.1
port: 5432
database: postgres
sslmode: disable
log_level: info
openai_api_key: your_openai_api_key
openai_mode: gpt-4
openai_limit: 10
providers:
- name: aws
source: aws
version: v0.1.0
providers:
- name: aws
provider: aws
cache: 7d
rules:
In this configuration, you need to provide your own OpenAI API key and specify whether to use GPT-4 or GPT-
3.5. The "rules" block can be left empty as it will be automatically generated by AI.
Before starting the detection, configure your AWS credentials, and then you can use the GPT feature as follows:
selefra gpt "Query S3 Buckets that allow list objects"
The output will provide you with the discovered risks in your cloud environment using just a simple query.
As shown above, you can easily identify risks in your cloud environment with just a single query, making it very convenient.
Conclusion
Object traversal issues in S3 storage buckets are common and important to address. Through this article, I hope to help you understand and mitigate the object traversal issues in AWS S3 storage. With the help of Selefra, we can make the cloud more secure.