Abusing Predictable S3 Bucket Names

A common practice in AWS is to use files in an S3 bucket that is also located in the region. Sometimes this is for latency reasons and sometimes you don’t have a choice in the matter. The S3Bucket property of a Lambda function in a CloudFormation template for example requires the bucket be in the same region as the function.

S3 also has a global namespace which means bucket names cannot be reused in other regions or by other accounts. This means that services which are deployed in many regions generally have a standard way of naming their buckets, usually by using the region name as a prefix or suffix to another string. When setting these up, a developer will generally register all buckets which match the pattern in their respective regions and make a note to additionally register new buckets as new regions are launched.

If someone has both prior knowledge of both the pattern being used for the bucket registration and of an upcoming region name, they could claim that bucket as their own before the owner of the other buckets has a chance to.

AWS region names aren’t generally publicized but you will see the region names in Certificate Transparency logs fairly early, or you could simply take an educated guess. For example, Cape Town which is near the southern-most point of Africa was announced last year and is the first region in that geographical area (hint hint).

Throughout the last year I registered many buckets that had this issue, both from AWS service teams and from external vendors and subsequently worked with them on this issue - in particular when the new regions were released.


Comments

Be the first to comment !



Related Posts


3 months, 2 weeks ago

Serverless Components Beta

Forget infrastructure — Today, we’re giving you a new option to deploy serverless use-cases — wit..

3 months, 2 weeks ago

Cloud Native Application From Scratch - Kamil Hajduczenia

Ready to see some code? Containers, microservices, GKE, and more. Dive deep into application deve..

3 months, 3 weeks ago

Google Cloud Serverless Function Object Access is Four Times Faster Than AWS – Blocks And Files

AWS S3 is four times slower than Google Cloud Services when serverless functions access object st..

3 months, 2 weeks ago

Aporeto Launches Zero Trust Cloud Security Solution For Kubernetes Multi-cluster Deployments

Aporeto, the leader in Zero Trust Cloud Security, announced its cloud network security solution f..

4 months ago

Cloud Irregular: Amazon Won't Spin Off AWS, And That's Too Bad For AWS

First let’s make one thing perfectly clear: Amazon and AWS are not splitting up. AWS CEO Andy Jas..

-->