Video: Internal S3 Buckets Exposed via Public EC2 Instances

January 21, 2021 | IN AWS, Blog, Query, Video | BY Akash Ganapathi
circle
circle

This is one in a series of short, simple J1 queries that will help you interrogate your AWS environments. The JupiterOne platform used to run these queries is free.

This query exposes internal S3 buckets that are accessible via a public EC2 instance. This approach to accessing an S3 bucket was responsible for one of the major data breaches at an international financial organization. It was something that flew under the radar of most security organizations until that happened. The ability to traverse the graph using the JQ Query Language allows security teams to see how instances are connected to the internet, and the relationship of those instances to various roles that have access policies for accessing S3 buckets.

Cut-and-Paste Query

Here’s the query you can use to cut-and-paste into your J1 instance. Watch JupiterOne technical expert, Akash Ganapathi, walk through the example query and then display the results in real time. If you find this useful, give us some contact info at the bottom of this page and we’ll send you twice a month updates as we continue to explore various environments with JupiterOne. You’ll also receive a personal invitation to a hands-on J1 Query Workshop in March.

FIND Internet 
   THAT ALLOWS aws_security_group 
   THAT PROTECTS aws_instance with active=true 
   THAT USES aws_iam_role that assigned AccessPolicy 
   THAT ALLOWS (aws_s3|aws_s3_bucket) with classification!='public' 
RETURN TREE

 

 

Contribute your J1 Query to the Community

We will frequently be adding cut-and-paste J1 queries to our gallery. Join the community and every two weeks we’ll send you a list of new queries. You can contribute your own queries for inclusion and examination in an upcoming article. Use the form below to join us.