Unauthorized access to files - Cloud Storage Services - Cloudformation

Need

Prevent unauthorized access to cloud storage services configured with CloudFormation

Context

Risk of publicly exposed cloud storage resources
Potential unauthorized access to files stored in cloud storage services

Description

Insecure Code Example

Resources:
  InsecureStorage:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-insecure-storage
      AccessControl: PublicRead
      # No restrictions on public access

  InsecureFS:
    Type: AWS::EFS::FileSystem
    Properties:
      FileSystemPolicy:
        Statement:
          - Effect: Allow
            Principal: "*"
            Action: "elasticfilesystem:*"
            Resource: "*"

The above CloudFormation template creates a cloud storage resource (an Amazon S3 bucket) without enforcing any access restrictions. Without explicit security configurations, the storage may allow public or unauthenticated access. This can lead to unauthorized users being able to list, read, modify, or delete files, potentially exposing sensitive data or enabling data tampering.

Steps

Identify cloud storage resources managed by CloudFormation templates.
Ensure public access is explicitly blocked (e.g., `PublicAccessBlockConfiguration` for S3).
Use IAM policies instead of broad, open permissions in storage service configurations.
Regularly review permissions to ensure that only authorized identities can access files.

Secure Code Example

Resources:
  SecureStorage:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-secure-storage
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true

  SecureFS:
    Type: AWS::EFS::FileSystem
    Properties:
      FileSystemPolicy:
        Statement:
          - Effect: Allow
            Principal:
              AWS: "arn:aws:iam::123456789012:role/SecureAccessRole"
            Action: "elasticfilesystem:*"
            Resource: "*"

The above CloudFormation template configures cloud storage services with strict access control to prevent unauthorized access. - S3: Blocks public access entirely and does not use permissive ACLs. - EFS: Restricts access using IAM policies instead of open permissions.

References

203 - Unauthorized access to files - Cloud Storage Services

Last updated

2025/04/03