Unauthorized access to files - Cloud Storage Services - cloudformation

Unauthorized access to files - Cloud Storage Services - cloudformation

Need

Prevent unauthorized access to cloud storage services configured with CloudFormation

Context

  • Risk of publicly exposed cloud storage resources
  • Potential unauthorized access to files stored in cloud storage services

Description

Non compliant code

        Resources:
  InsecureStorage:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-insecure-storage
      AccessControl: PublicRead
      # No restrictions on public access

  InsecureFS:
    Type: AWS::EFS::FileSystem
    Properties:
      FileSystemPolicy:
        Statement:
          - Effect: Allow
            Principal: "*"
            Action: "elasticfilesystem:*"
            Resource: "*"

The following CloudFormation template creates a cloud storage resource (an Amazon S3 bucket) without enforcing any access restrictions. Without explicit security configurations, the storage may allow public or unauthenticated access.

This can lead to unauthorized users being able to list, read, modify, or delete files, potentially exposing sensitive data or enabling data tampering.

Steps

  • Identify cloud storage resources managed by CloudFormation templates.
  • Ensure public access is explicitly blocked (e.g., `PublicAccessBlockConfiguration` for S3).
  • Use IAM policies instead of broad, open permissions in storage service configurations.
  • Regularly review permissions to ensure that only authorized identities can access files.

Compliant code

        Resources:
  SecureStorage:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-secure-storage
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true

  SecureFS:
    Type: AWS::EFS::FileSystem
    Properties:
      FileSystemPolicy:
        Statement:
          - Effect: Allow
            Principal:
              AWS: "arn:aws:iam::123456789012:role/SecureAccessRole"
            Action: "elasticfilesystem:*"
            Resource: "*"

The following CloudFormation template configures cloud storage services with strict access control to prevent unauthorized access.

- S3: Blocks public access entirely and does not use permissive ACLs.
- EFS: Restricts access using IAM policies instead of open permissions.

References