Skip to content

Releases: trustoncloud/threatmodel-for-aws-s3

2023-10-02

02 Oct 01:50
@jon-trust jon-trust
2023-10-02
2e37bc2
Compare
Choose a tag to compare
2023-10-02 Latest
Latest 
============================
Summary change log
============================
New control: controls.S3.C162
New control: controls.S3.C163
New: DFD added to the JSON
Updated: threats.S3.T37.cvss
Updated: threats.S3.T37.cvss_severity
Updated: threats.S3.T37.cvss_score
Updated: threats.S3.T39.cvss
Updated: threats.S3.T39.cvss_severity
Updated: threats.S3.T39.cvss_score
Updated: controls.S3.C58.description
Updated: controls.S3.C61.depends_on
Updated: controls.S3.C62.description
Updated: controls.S3.C64.description
Updated: controls.S3.C68.description
Updated: controls.S3.C96.description
Updated: controls.S3.C96.testing
Updated: controls.S3.C136.description
Updated: controls.S3.C136.testing
Updated: controls.S3.C146.description
Updated: controls.S3.C154.description

============================
Full change log
============================
New control: controls.S3.C162 "Block requests not using DSSE-KMS when required (e.g. by using an SCP and/or an IAM policy on requestParameter.bucketName with a deny statement on "s3:x-amz-server-side-encryption" = "aws:kms:dsse")."
New control: controls.S3.C163 "Monitor requests not using DSSE-KMS when required (e.g. using CloudTrail log event name(s) CloudTrail S3 data events with field(s) requestParameter.bucketName and "response.x-amz-server-side-encryption-aws")."
New: DFD added to the JSON
Updated: threats.S3.T37.cvss
From: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
To:   "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L"
Updated: threats.S3.T37.cvss_severity
From: "High"
To:   "Medium"
Updated: threats.S3.T37.cvss_score
From: "7.2"
To:   "6.9"
Updated: threats.S3.T39.cvss
From: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
To:   "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
Updated: threats.S3.T39.cvss_severity
From: "Medium"
To:   "High"
Updated: threats.S3.T39.cvss_score
From: "6.5"
To:   "7.5"
Updated: controls.S3.C58.description
From: "Track all buckets you control, define their authorized data classification, identify whether the hosted data is primary (i.e. source of truth, for example logs, backups, forensic data, raw data, etc.) or an input/output of a process (e.g. file-processing, software package, etc.), their WORM requirements (e.g. SEC 17a-4, CTCC, etc.), if they are production/non-production (preferably done at account-level), their storage class. You may use tags, Infra-as-code, AWS Glue Data Catalog, or external management tools like <a href="https://finraos.github.io/herd/">FINRA herd</a>)."
To:   "Track all buckets you control, define their authorized data classification, identify whether the hosted data is primary (i.e. source of truth, for example logs, backups, forensic data, raw data, etc.) or an input/output of a process (e.g. file-processing, software package, etc.), their WORM requirements (e.g. SEC 17a-4, CTCC, etc.), if they are production/non-production (preferably done at account-level), their storage class, and their dual-layer server-side encryption requirement (e.g. for NSA CNSSP 15, or DAR CP). You may use tags, Infra-as-code, AWS Glue Data Catalog, or external management tools like <a href="https://finraos.github.io/herd/">FINRA herd</a>)."
Updated: controls.S3.C61.depends_on
From: ""
To:   "S3.C58"
Updated: controls.S3.C62.description
From: "Verify all objects on S3 buckets are encrypted with an authorized KMS key (e.g. using S3 inventory, see <a href="https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/">blog</a>, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_metrics_types">S3 Storage Lens</a> UnencryptedObjectCount and SSEKMSEnabledBucketCount)."
To:   "Verify all objects on S3 buckets are encrypted with an authorized KMS key (e.g. using S3 Inventory, see <a href="https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/">blog</a>, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_metrics_types">S3 Storage Lens</a> UnencryptedObjectCount and SSEKMSEnabledBucketCount)."
Updated: controls.S3.C64.description
From: "Implement an authorized default encryption key on each bucket; and enable S3 Bucket Key, if CloudTrail events are not required for KMS encrypt/decrypt (note: Amazon S3 evaluates and applies bucket policies before applying bucket default encryption settings)."
To:   "Implement an authorized default encryption key on each bucket; and enable S3 Bucket Key if not DSSE-KMS, if CloudTrail events are not required for KMS encrypt/decrypt (note: Amazon S3 evaluates and applies bucket policies before applying bucket default encryption settings)."
Updated: controls.S3.C68.description
From: "Monitor that only authorized KMS key(s) are used on each bucket (using CloudTrail S3 data events in <i>requestParameter.bucketName</i> and <i>response.x-amz-server-sIDe-encryption-AWS-kms-key-ID</i>)."
To:   "Monitor that only authorized KMS key(s) are used on each bucket (using CloudTrail S3 data events in "requestParameter.bucketName" and "response.x-amz-server-side-encryption-aws-kms-key-id")."
Updated: controls.S3.C96.description
From: "Maintain a list of authorized S3 buckets to receive S3 inventory of each bucket."
To:   "Maintain a list of authorized S3 buckets to receive S3 Inventory of each bucket."
Updated: controls.S3.C96.testing
From: "Request the list of authorized bucket(s) to receive S3 inventory of each bucket, its review process, and its review records."
To:   "Request the list of authorized bucket(s) to receive S3 Inventory of each bucket, its review process, and its review records."
Updated: controls.S3.C136.description
From: "Ensure only authorized S3 buckets are configured to receive S3 inventory for each bucket."
To:   "Ensure only authorized S3 buckets are configured to receive S3 Inventory for each bucket."
Updated: controls.S3.C136.testing
From: "Request 1) the mechanism ensuring only authorized S3 buckets are configured to receive S3 inventory for each bucket, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets."
To:   "Request 1) the mechanism ensuring only authorized S3 buckets are configured to receive S3 Inventory for each bucket, 2) its records of execution for all new buckets, and 3) the plan to move any older buckets."
Updated: controls.S3.C146.description
From: "For buckets (or paths) requiring SSE-C, block PutObject requests with unauthorized encryption (e.g. using an S3 bucket policy deny statement on PutObject if the condition "s3:x-amz-server-side-encryption-customer-algorithm"="AES265" is not present)."
To:   "For buckets (or paths) requiring SSE-C, block PutObject requests with unauthorized encryption (e.g. using an S3 bucket policy deny statement on PutObject if the condition "s3:x-amz-server-side-encryption-customer-algorithm"="AES256" is not present)."
Updated: controls.S3.C154.description
From: "Verify bucket ACL and object ACL are disabled on each bucket (e.g. using the AWS Config rule <a href="https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html">S3_BUCKET_ACL_PROHIBITED</a> for bucket ACL, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_metrics_glossary.html">S3 Storage Lens</a> ObjectOwnershipBucketOwnerEnforcedBucketCount)."
To:   "Verify bucket ACL and object ACL are disabled on each bucket (e.g. using the AWS Config rule <a href="https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html">S3_BUCKET_ACL_PROHIBITED</a> for bucket ACL, <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_metrics_glossary.html">S3 Storage Lens</a> ObjectOwnershipBucketOwnerEnforcedBucketCount, or S3 Inventory which include object ACL metadata)."
============================
Assets 2
Loading

2023-06-11

11 Jun 12:33
@jon-trust jon-trust
2023-06-11
5841eba
Compare
Choose a tag to compare
2023-06-11

Update of the ThreatModel for Amazon S3

Summary change log

  • 1 new threat: S3.T60 "Create an exfiltration vector via cross-account access point"
  • 4 new controls: S3.C158 to S3.C161
  • Added MITRE ATT&CK technics, in addition to tactics
  • Various improvements on prioritization, or wordings of existing controls and threats.

Full change log

New threat: threats.S3.T60 "Create an exfiltration vector via cross-account access point"

New control objective: control_objectives.S3.CO40 "Restrict access points to authorized AWS accounts"

New control: controls.S3.C158 "Maintain a list of authorized S3 buckets and their AWS account for cross-account access points."

New control: controls.S3.C159 "Ensure only authorized S3 buckets and their AWS account for cross-account access points are configured."

New control: controls.S3.C160 "Monitor CreateAccessPoint to detect unauthorized buckets or AWS accounts (i.e. using CloudTrail event CreateAccessPoint and its fields "requestParameters.CreateAccessPointRequest.Bucket" and "requestParameters.CreateAccessPointRequest.BucketAccountId")."

New control: controls.S3.C161 "Verify only authorized S3 buckets and their AWS account for cross-account access points are used."

New action: actions.S3.A187 "Return the route configuration for a Multi-Region Access Point."

New action: actions.S3.A188 "Submit a route configuration update for a Multi-Region Access Point."

Updated: threats.S3.T1.mitre_attack

  • From: "TA0010"
  • To: "TA0009,T1586"

Updated: threats.S3.T1.mitre_attack

  • From: "TA0010"
  • To: "TA0009,T1586"

Updated: threats.S3.T2.name

  • From: "Unauthorized access to data via bucket replication"
  • To: "Unauthorized access to data or loss of control of SSE-C encrypted data via bucket replication"

Updated: threats.S3.T2.description

  • From: "Replication allows you to replicate objects, their metadata and change ownership. The configuration focuses on new objects only (old objects replication requires using S3 Batch Replication). An attacker can configure replication on a bucket to replicate objects (or its metadata or tagging) in a bucket they control to exfiltrate data."
  • To: "Replication allows you to replicate objects and their metadata and change ownership. The configuration only focuses on new objects (old objects replication requires S3 Batch Replication). An attacker can configure replication on a bucket to replicate objects (or its metadata or tagging) in a bucket they control to exfiltrate data. As objects encrypted via SSE-C are also replicated without additional configuration or access requirements, an attacker can then decrypt it in their own bucket if they have the SSE-C key."

Updated: threats.S3.T2.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1048"

Updated: threats.S3.T3.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1567"

Updated: threats.S3.T4.mitre_attack

  • From: "TA0040"
  • To: "TA0040,T1486"

Updated: threats.S3.T5.description

  • From: "S3 buckets can be public for a legitimate reason. An attacker (or someone by negligence) can upload sensitive data in an accessible bucket (e.g. public) you do not own to make it accessible to exfiltrate it."
  • To: "S3 buckets can be public for a legitimate reason. An attacker (or someone by negligence) can upload sensitive data in an accessible bucket (e.g. public) you do not own to make it accessible to exfiltrate data."

Updated: threats.S3.T5.mitre_attack

  • From: "TA0010"
  • To: "TA0009,T1074"

Updated: threats.S3.T6.mitre_attack

  • From: "TA0010"
  • To: "TA0005,T1562"

Updated: threats.S3.T7.description

  • From: "S3 allows IAM entities to upload data in a bucket in other AWS accounts, if they have the IAM permissions. An attacker can use one of your IAM entities to upload data to one of their buckets. If the attacker does not control object ACL, it can use the name of objects (1KB)."
  • To: "S3 allows IAM entities to upload data in a bucket in other AWS accounts, if they have the IAM permissions. An attacker can use one of your IAM entities to upload data to one of their buckets. If the attacker does not control object ACL, they can use the name of objects (1KB)."

Updated: threats.S3.T7.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1537"

Updated: threats.S3.T8.description

  • From: "VPC endpoints for S3 allow IAM entities to connect from a VPC to any S3 bucket without an Internet Gateway. An attacker can exfiltrate pre-collected data to an external S3 bucket via a VPC endpoint, using an internal IAM entity they control. If the attacker does not control object ACL, it can use the name of objects (1KB)."
  • To: "VPC endpoints for S3 allow IAM entities to connect from a VPC to any S3 bucket without an Internet Gateway. An attacker can exfiltrate pre-collected data to an external S3 bucket via a VPC endpoint, using an internal IAM entity they control. If the attacker does not control object ACL, they can use the name of objects (1KB)."

Updated: threats.S3.T8.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1537"

Updated: threats.S3.T9.description

  • From: "VPC endpoints for S3 allow any entity to connect from a VPC to any S3 bucket without an Internet Gateway. An attacker can exfiltrate data to an external S3 bucket via one of your VPC endpoints, using a non-authenticated user or its own external IAM entity. Note that some external IAM entities might be authorized if provided by one of your business partners."
  • To: "VPC endpoints for S3 allow any entity to connect from a VPC to any S3 bucket without an Internet Gateway. An attacker can exfiltrate data to an external S3 bucket via one of your VPC endpoints, using a non-authenticated user or their own external IAM entity. Note that some external IAM entities might be authorized if provided by one of your business partners."

Updated: threats.S3.T9.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1537"

Updated: threats.S3.T10.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1537"

Updated: threats.S3.T11.mitre_attack

  • From: "TA0009"
  • To: "TA0009,T1074"

Updated: threats.S3.T12.mitre_attack

  • From: "TA0010"
  • To: "TA0009,T1557"

Updated: threats.S3.T13.mitre_attack

  • From: "TA0010"
  • To: "TA0009,T1557"

Updated: threats.S3.T14.mitre_attack

  • From: "TA0001"
  • To: "TA0001,T1195"

Updated: threats.S3.T15.mitre_attack

  • From: "TA0040"
  • To: "TA0002,T1203"

Updated: threats.S3.T16.mitre_attack

  • From: "TA0040"
  • To: "TA0040,T1486"

Updated: threats.S3.T17.mitre_attack

  • From: "TA0040"
  • To: "TA0040,T1485"

Updated: threats.S3.T18.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1020"

Updated: threats.S3.T19.mitre_attack

  • From: "TA0043"
  • To: "TA0043,T1589"

Updated: threats.S3.T20.description

  • From: "CloudFront distributions can use S3 as their origin. An attacker can connect a CloudFront distribution to a private S3 bucket to get access to it."
  • To: "CloudFront distributions can use S3 buckets or access points as their origin. An attacker can connect a CloudFront distribution to a private S3 bucket to get access to it. Note: S3 resource policies can allow a cloudfront.amazonaws.com principal which could allow any distributions if not restricted."

Updated: threats.S3.T20.mitre_attack

  • From: "TA0010"
  • To: "TA0005,T1562"

Updated: threats.S3.T21.mitre_attack

  • From: "TA0010"
  • To: "TA0005,T1562"

Updated: threats.S3.T22.mitre_attack

  • From: "TA0040"
  • To: "TA0040,T1496"

Updated: threats.S3.T23.description

  • From: "S3 provides URLs to buckets using the bucket name (i.e. "mybucket.s3.amazonaws.com"). An attacker can create a bucket with the name of your trademark to phish users."
  • To: "S3 provides URLs to buckets using the bucket name (i.e. "mybucket.s3.amazonaws.com"). An attacker can create a bucket with the name of your trademark to phish users."

Updated: threats.S3.T23.mitre_attack

  • From: "TA0010"
  • To: "TA0009,T1056"

Updated: threats.S3.T24.mitre_attack

  • From: "TA0043"
  • To: "TA0043,T1589"

Updated: threats.S3.T25.mitre_attack

  • From: "TA0040"
  • To: "TA0040,T1485"

Updated: threats.S3.T26.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1020"

Updated: threats.S3.T27.mitre_attack

  • From: "TA0040"
  • To: "TA0040,T1565"

Updated: threats.S3.T28.description

  • From: "Access points can be deleted and recreated with the same name, and therefore the same ARN. An attacker can delete an access point and recreate the same, on a bucket (in the same account) it controls to collect/modify data; or making it accessible over the Internet."
  • To: "Access points can be deleted and recreated with the same name, and therefore the same ARN. An attacker can delete an access point and recreate the same, on a bucket they control to collect/modify data; or make it accessible over the Internet."

Updated: threats.S3.T28.mitre_attack

  • From: "TA0009"
  • To: "TA0009,T1056"

Updated: threats.S3.T29.mitre_attack

  • From: "TA0040"
  • To: "TA0040,T1496"

Updated: threats.S3.T30.mitre_attack

  • From: "TA0009"
  • To: "TA0009,T1530,T1119"

Updated: threats.S3.T31.description

  • From: "Bucket names are globally unique. An attacker can take over a legitimate external bucket and deceive you into sending it to their bucket."
  • To: "Bucket names are globally unique. An attacker can take over a legitimate external bucket and deceive you into sending data to their bucket."

Updated: threats.S3.T31.mitre_attack

  • From: "TA0010"
  • To: "TA0010,T1537,T1567"

Updated: threats.S3.T32.mitre_attack

  • From: "TA0043"
  • To: "TA0043,T1590"

Updated: threats.S3.T33.mitre_attack

  • From: "TA0004"
  • To: "TA0004,T1548"

Updated: threats.S3.T34.mitre_attack

  • From: "TA0010"
  • To: "TA0009,T1557"

Updated: threats.S3.T35.mitre_attack

  • From: "TA0040"
  • To: "TA0011,T1102"

Updated: threats.S3.T36.description

  • From: "Bucket authority only...
Read more
Assets 2
Loading

2022-09-20

20 Sep 09:36
@jon-trust jon-trust
2022-09-20
5679251
Compare
Choose a tag to compare
2022-09-20

Update of the ThreatModel for Amazon S3

Get it as PDF, DOCX, or JSON

Change log

  • 3 new threats: S3.T57 to S3.T59
  • 3 new controls: S3.C155 to S3.C157
  • 2 new control objective: S3.CO38 and S3.CO39
  • Various improvements on prioritization, or wordings of existing controls and threats.

Full change log

Updated: threats.S3.T1.description

  • From: "Bucket names are globally unique. An attacker can recreate the same bucket name of a deleted bucket you used to own to collect any new data being uploaded by a non-updated party, do a DNS takeover (using a non-deleted CNAME / CloudFront origin to the bucket) or to use remaining permissions to exfiltrate data."
  • To: "Bucket names are globally unique and can be recreated after 1 hour from deletion in another AWS account. An attacker can recreate the same bucket name of a deleted bucket you used to own to collect any new data uploaded by a non-updated party, do a DNS takeover (using a non-deleted CNAME / CloudFront origin to the bucket), or use remaining permissions to exfiltrate data."

Updated: threats.S3.T2.description

  • From: "Replication allows you to replicate objects, their metadata and change ownership. The configuration focuses on new objects only (old objects replication requires a ticket to AWS Support). An attacker can configure replication on a bucket to replicate objects (or its metadata or tagging) in a bucket they control to exfiltrate data."
  • To: "Replication allows you to replicate objects, their metadata and change ownership. The configuration focuses on new objects only (old objects replication requires using S3 Batch Replication). An attacker can configure replication on a bucket to replicate objects (or its metadata or tagging) in a bucket they control to exfiltrate data."

Updated: threats.S3.T3.cvss

  • From: "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
  • To: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"

Updated: threats.S3.T3.cvss_score

  • From: "6.7"
  • To: "5.7"

Updated: threats.S3.T3.name

  • From: "Exfiltrate your data hosted on an external bucket, by using of a compromised IAM access from Internet"
  • To: "Exfiltrate your data hosted on an external bucket by using compromised IAM credentials accessed over the Internet"

Updated: threats.S3.T3.description

  • From: "IAM credentials can be compromised. An attacker can use a compromised but authorized credential to download your object from an external bucket via the public endpoint (using or not their own VPC endpoint)."
  • To: "IAM credentials can be compromised. An attacker can use a compromised but authorized credential to download your object from an external bucket via the public endpoint or their VPC endpoint."

Updated: threats.S3.T7.name

  • From: "Exfiltrate data to an attacker bucket via public endpoint"
  • To: "Exfiltrate data to an attacker bucket via a public endpoint"

Updated: threats.S3.T8.name

  • From: "Exfiltrate data by using a S3 VPC endpoint to upload data to an attacker bucket using an internal IAM entity"
  • To: "Exfiltrate data by using an S3 VPC endpoint to upload data to an attacker bucket using an internal IAM entity"

Updated: threats.S3.T8.description

  • From: "VPC endpoints for S3 allow IAM entities to connect from a VPC to any S3 bucket without Internet Gateway. An attacker can exfiltrate pre-collected data to an external S3 bucket via a VPC endpoint, using an internal IAM entity they control. If the attacker does not control object ACL, it can use the name of objects (1KB)."
  • To: "VPC endpoints for S3 allow IAM entities to connect from a VPC to any S3 bucket without an Internet Gateway. An attacker can exfiltrate pre-collected data to an external S3 bucket via a VPC endpoint, using an internal IAM entity they control. If the attacker does not control object ACL, it can use the name of objects (1KB)."

Updated: threats.S3.T9.description

  • From: "VPC endpoints for S3 allow any entity to connect from a VPC to any S3 bucket without Internet Gateway. An attacker can exfiltrate data to an external S3 bucket via one of your VPC endpoints, using a non-authenticated user or its own external IAM entity. Note that some external IAM entities might be authorized, if provided by one of your business partners."
  • To: "VPC endpoints for S3 allow any entity to connect from a VPC to any S3 bucket without an Internet Gateway. An attacker can exfiltrate data to an external S3 bucket via one of your VPC endpoints, using a non-authenticated user or its own external IAM entity. Note that some external IAM entities might be authorized if provided by one of your business partners."

Updated: threats.S3.T10.description

  • From: "AWS authenticates per AWS account. An attacker can bring its own credentials to exfiltrate data to external S3 buckets through the S3 public endpoint. It can be a non-authenticated user as well."
  • To: "AWS authenticates per AWS account. An attacker can use their own credentials to exfiltrate data to external S3 buckets through the S3 public endpoint. It can be a non-authenticated user as well."

Updated: threats.S3.T12.description

  • From: "S3 allows communication over HTTP. An attacker can intercept the traffic you send on an external bucket, in order to read or modify the data."
  • To: "S3 allows communication over HTTP. An attacker can intercept the traffic you send to an external bucket, in order to read or modify the data."

Updated: threats.S3.T13.name

  • From: "Intercept data in transit on the website endpoint"
  • To: "Read data in transit on the website endpoint"

Updated: threats.S3.T13.description

  • From: "S3 website endpoint is serving HTTP only. An attacker can intercept HTTP traffic to steal data."
  • To: "S3 website endpoint is serving HTTP only. An attacker can intercept the traffic you send to an external bucket to read the data."

Updated: threats.S3.T14.name

  • From: "Use bucket to upload a malware or modify an object to include a malware"
  • To: "Use a bucket to upload malware or modify an object to include malware"

Updated: threats.S3.T14.description

  • From: "S3 buckets are commonly used to distribute software. An attacker can upload malware in a bucket to better position it for later use, or directly change an object to include a malware (example)."
  • To: "S3 buckets are commonly used to distribute software. An attacker can upload malware in a bucket to better position it for later use or directly change an object to include malware (example)."

Updated: threats.S3.T14.mitre_attack

  • From: "TA0040"
  • To: "TA0001"

Updated: threats.S3.T15.description

  • From: "S3 website enables users to be served client-side scripts (e.g. JavaScript). An attacker can upload a client-side script with a malware (e.g. cryptomining) on the visitor."
  • To: "S3 website enables users to be served client-side scripts (e.g. JavaScript). An attacker can upload a client-side script with malware (e.g. cryptomining) to the visitor."

Updated: threats.S3.T17.description

  • From: "S3 provides high durability by design (11 9s), however data can still be deleted by the customer. An attacker (or someone by negligence) can use its access to destroy (or modify) primary data located on S3, affecting the ability for the business to operate (for example, Code Spaces)."
  • To: "S3 provides high durability by design (11 9s). However, data can still be deleted by the customer. An attacker (or someone by negligence) can use its access to destroy (or modify) primary data located on S3, affecting the ability of the business to operate (for example, Code Spaces)."

Updated: threats.S3.T17.feature_class

  • From: "S3.FC5"
  • To: "S3.FC1"

Updated: threats.S3.T19.name

  • From: "Recon of AWS root account emails using email ACL grantee feature"
  • To: "Recon of AWS root account emails using the email ACL grantee feature"

Updated: threats.S3.T19.mitre_attack

  • From: "TA0007"
  • To: "TA0043"

Updated: threats.S3.T21.description

  • From: "Number of AWS services are using S3 for storage, including storing in cross-account S3 buckets. Services with IAM roles (e.g. SageMaker) will give ownership to the target AWS account, hence removing the ownership protection. An attacker can use those services to exfiltrate data."
  • To: "Number of AWS services are using S3 for storage, including storing in cross-account S3 buckets. Services with IAM roles (e.g. SageMaker) will give ownership to the target AWS account, removing ownership protection. An attacker can use those services to exfiltrate data."

Updated: threats.S3.T22.description

  • From: "S3 charges for hosting and data transfer out. An attacker can hotlink your content hosted on S3 on another page to avoid paying the S3 charges (ref)."
  • To: "S3 charges for hosting and data transfer out. An attacker can hotlink your content hosted on S3 on another page to avoid paying the S3 bills (<a href="ht...
Read more
Assets 2
Loading

2021-12-09

09 Dec 05:38
@jon-trust jon-trust
2021-12-09
5a040b2
Compare
Choose a tag to compare
2021-12-09

Update of the ThreatModel for Amazon S3, including the last few months of updates:

  • new API accessible via S3 Object Lambda,
  • Multi-Region Access Points,
  • and brand-new S3 Object Ownership setting to deactivate ACLs.

Get it as PDF, DOCX, or JSON

Change log

  • 3 new threats: S3.T54 to S3.T56
  • 10 new controls: S3.C145 to S3.C154
  • 1 new control objective: S3.CO37
  • Various improvement on prioritization, or wordings on existing controls and threats.

Full change log

Updated scorecard.number_of_iam_permissions.score

  • From: "141"
  • To: "153"

Updated scorecard.number_of_actions.score

  • From: "170"
  • To: "182"

Updated scorecard.number_of_events.score

  • From: "138"
  • To: "150"

Updated scorecard.aws_cloudformation.score

  • From: "4"
  • To: "6"

Updated control_objectives.S3.CO9.description

  • From: "Block requests with CMKs from unauthorized AWS account(s)"
  • To: "Block requests with KMS keys from unauthorized AWS account(s)"

Updated actions.S3.A34.long_description

  • From: "Server access logging provides detailed records for the requests that are made to a bucket. CloudTrail S3 data events are preferred, due to the more reliable delivery timing, consistency, supporting KMS encryption and S3 Object Lock (full comparison), however website endpoint is not recorded on S3 data events, some SIEM modules might be more featured with S3 Access Logs, and access logging is free beside storage."
  • To: "Server access logging provides detailed records for the requests that are made to a bucket. CloudTrail S3 data events are preferred, due to the more reliable delivery timing, consistency, supporting KMS encryption and S3 Object Lock (full comparison), however website endpoint is not recorded on S3 data events, some SIEM modules might be more featured with S3 access logs, and access logging is free beside storage."

Updated actions.S3.A118.order

  • From: "31"
  • To: "32"

Updated actions.S3.A164.description

  • From: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function"
  • To: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function."

Updated actions.S3.A104.long_description

  • From: "You can upload and download virtually any number of objects to an external S3 bucket you authorized to. Amazon S3 access control lists (ACLs) enable you to manage access to objects. Each object has an ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to verify that the requester has the necessary access permissions (ref)."
  • To: "You can upload and download virtually any number of objects to an external S3 bucket you authorized to. Amazon S3 access control lists (ACLs) enable you to manage access to objects. Each object has an ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to control that the requester has the necessary access permissions (ref)."

Updated actions.S3.A74.order

  • From: "27"
  • To: "28"

Updated actions.S3.A29.order

  • From: "28"
  • To: "29"

Updated actions.S3.A144.description

  • From: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function"
  • To: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function."

Updated actions.S3.A138.description

  • From: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function"
  • To: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function."

Updated actions.S3.A141.description

  • From: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function"
  • To: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function."

Updated actions.S3.A158.description

  • From: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function"
  • To: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function."

Updated actions.S3.A69.long_description

  • From: "You can upload and download virtually any number of objects to an external S3 bucket you authorized to. Amazon S3 access control lists (ACLs) enable you to manage access to objects. Each object has an ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to verify that the requester has the necessary access permissions (ref)."
  • To: "You can upload and download virtually any number of objects to an external S3 bucket you authorized to. Amazon S3 access control lists (ACLs) enable you to manage access to objects. Each object has an ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to control that the requester has the necessary access permissions (ref)."

Updated actions.S3.A130.description

  • From: "S3 Storage Lens provides a single view of object storage usage and activity across your entire S3 storage"
  • To: "S3 Storage Lens provides a single view of object storage usage and activity across your entire S3 storage."

Updated actions.S3.A165.description

  • From: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function"
  • To: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function."

Updated actions.S3.A133.description

  • From: "S3 Storage Lens provides a single view of object storage usage and activity across your entire S3 storage"
  • To: "S3 Storage Lens provides a single view of object storage usage and activity across your entire S3 storage."

Updated actions.S3.A113.action_description

  • From: "Retrieves the policy status for an specific access point's policy"
  • To: "Retrieves the policy status for a specific access point's policy"

Updated actions.S3.A124.iam_permission

  • From: "s3:DeleteBucketIntelligentTieringConfiguration"
  • To: "s3:DeleteIntelligentTieringConfiguration"

Updated actions.S3.A151.description

  • From: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function"
  • To: "S3 Object Lambda enables users to apply their own custom code to process the output of a standard S3 request by automatically invoking a Lambda function."

Updated actions.S3.A67.long_description

  • From: "You can upload and download virtually any number of objects to an external S3 bucket you authorized to. Amazon S3 access control lists (ACLs) enable you to manage access to objects. Each object has an ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to verify that the requester has the necessary access permissions (ref)."
  • To: "You can upload and download virtually any number of objects to an external S3 bucket you authorized to. Amazon S3 access control lists (ACLs) enable you to manage access to objects. Each object has an ACL attached to it as a sub-resource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to control that the requester has the necessary access permissions (ref)."

...

Read more
Assets 2
Loading