Re: [MWUG] Digest for - 3 updates in 1 topic

Skip to first unread message

Michael Cropper

Jan 14, 2021, 3:29:58 PM1/14/21
As Mike says, triple check your settings. Unlike a lot of AWS services that are often protected in a VPC or similar, the way AWS S3 system as a whole works is that it is nothing more than a glorified key : value store. So if you don't configure your bucket policies correctly you could be exposing data you shouldn't be. 

Bearing in mind that the settings are often a mix between the GUI and the Yaml policies depending on your use case. 

Also keep in mind this may be a phishing email. 

On Thu, 14 Jan 2021, 20:20 , <> wrote:
Mike Witt <>: Jan 13 03:55PM -0800

Just a shot in the dark here, but anybody using AWS S3 and recently got an
email starting like this:
Subject: Notification of Amazon S3 buckets configured for public access
We are writing to notify you that you have configured your S3 bucket(s) to
be publicly accessible ...
And it then goes on to list several buckets which (AFAICT) are NOT public
(even though I have some other buckets which are.)
I have asked about it on the AWS forum, but no luck there so far. Just
thought I give it a try here.
Mike Little <>: Jan 14 12:24PM

I have had similar emails. But in my case the one bucket listed as public
is intentionally public.
However, a couple of years ago, when AWS realised that they had been
setting things to default to public (or all the examples they gave did so),
many of my buckets were listed as "potentially" public.
And I think that "potentially" is the problem. My interpretation of the
emails (and maybe the linked web page) is that it is possible to set up
buckets so that they require a logged in AWS user. But if you do it wrong
(and I think I did in the early days), ANY logged in AWS user can access
the bucket, which is practically the same as public to the bad folks.
So it is worth triple checking your settings.
I'm not an AWS expert, and definitely got it wrong when I first started
using S3.
I hope that helps.
> <>
> .
Stay safe and healthy, best regards,
*Mike Little*
*WordPress Specialist*
Twitter: @mikelittlezed1
Founder and Director
* Limited*
Registered in England & Wales, no. 6745562
Mike Witt <>: Jan 14 12:04PM -0700

OK, I think I see what you're saying. It sounds there are some things I
should check out. Thanks!
On 01/14/2021 05:24:22 AM, 'Mike Little' via Manchester WordPress User
Group wrote:
You have received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page.
To unsubscribe from this group and stop receiving emails from it send an email to
Reply all
Reply to author
0 new messages