Amazon s3 warning

Below is an email I received from Amazon. How come I set up the Zeroqode AWS plugin according to instructions and now AWS wants to write me warning letters? Is Zeroqode doing something wrong that AWS doesn’t like or what?

Lately there seems to be too much Amazon focus and attention on the Zeroqode plugin relating to SSL certificates and now too much traffic by public ?

Whats the story?

Hello,

We are writing to notify you that you have configured your S3 bucket(s) to be publicly accessible, and this may be a larger audience than you intended. By default, S3 buckets allow only the account owner to access the contents of a bucket; however, customers can configure S3 buckets to permit public access. Public buckets are accessible by anyone on the Internet, and content in them may be indexed by search engines.

We recommend enabling the S3 Block Public Access feature on buckets if public access is not required. S3 bucket permissions should never allow “Principal”:"*" unless you intend to grant public access to your data. Additionally, S3 bucket ACLs should be appropriately scoped to prevent unintended access to “Authenticated Users” (anyone with an AWS account) or “Everyone” (anyone with Internet access) unless your use case requires it. For AWS’s definition of “Public Access,” please see The Meaning of "Public” [1].

The list of buckets which can be publicly accessed is below:
NAME WITHHELD* | us-east-2

You can ensure individual buckets, or all your buckets prevent public access by turning on the S3 Block Public Access feature [2]. This feature is free of charge and it only takes a minute to enable. For step by step instructions on setting up S3 Block Public Access via the S3 management console, see Jeff Barr’s blog [3], or check out the video tutorial on Block Public Access [4].

If you have a business need to maintain some level of public access, please see Overview of Managing Access [5] for more in-depth instructions on managing access to your bucket to make sure you’ve permitted the correct level of access to your objects. If you would like more information about policy configuration in S3, please refer to Managing Access in Amazon S3 [6], and S3 Security Best Practices [7].

We recommend that you make changes in accordance with your operational best practices.

If you believe you have received this message in error or if you require technical assistance, please open a support case [8].

[1] https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status
[2] https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
[3] https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/
[4] https://aws.amazon.com/s3/features/block-public-access/
[5] https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html#access-control-resources-manage-permissions-basics
[6] https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html
[7] https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
[8] https://aws.amazon.com/support

Sincerely,
Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210

Reference: https://phd.aws.amazon.com/phd/home#/event-log?Event%20ARN=arn:aws:health:global::event/S3/AWS_S3_SECURITY_NOTIFICATION/AWS_S3_SECURITY_NOTIFICATION_44c593bb-e493-4e37-beb0-43b43fed6381&eventID=arn:aws:health:global::event/S3/AWS_S3_SECURITY_NOTIFICATION/AWS_S3_SECURITY_NOTIFICATION_44c593bb-e493-4e37-beb0-43b43fed6381&eventTab=details&layout=vertical

BUMP! VERY VERY CONCERNING! Comments?

Greetings, @socialmedia. Thanks for reaching out.

As far as we may know, Amazon warning messages are not related to our plugin. Our AWS plugin is not changing the user data or interfere in bucket/account settings or security parameters. Our plugin is simply requesting the data from the user’s account and sending it to the Bubble app.

As my colleague has replied to you in this thread, the connection security (between AWS bucket and user’s Bubble app) depends on the security settings made on the AWS side by the user: AWS changing SSL certificate - Plugins - Zeroqode Forum

I hope you understand how does our plugin work
Take care.

Hello!

You stated “As my colleague has replied to you in this thread” BUT you are the only one that responded to this thread. I hope you understand ?

The concern with Amazons warning letter stems around their wording:

“We are writing to notify you that you have configured your S3 bucket(s) to be publicly accessible, and this may be a larger audience than you intended.”

Are you can read they have identified ME directly because of the settings I have in place which are based upon the instructions Zerocode requires. This in turn opens the door to think that something has been incorrectly done regarding the implementation of the plugin? Or worst that there is sometihng wrong with the plugin.

Are you able to understand this ?

You must remember that this letter was written to me directly! It is not a general mass emailing! Therfore, I view such communication with great caution and would appreciate being put at ease which has failed thus far.

I hope you understand?

John

@socialmedia,

I’m sorry if my reply formulation was offensive to you or did not help you to worry less.

I have now 2 suggestion:

1. you can read carefully the plugin documentation and see that there are 2 policy setting types - one for making your bucket accessible to any user (public) and the other one is setting additional privacy settings (please see the next link to the plugin documentation and screenshot):
   AWS File Uploader Plugin - Zeroqode Documentation
   

   

   image823×690 30 KB

2. check the resources, provided by Amazon, and contact their Support team

We have provided you with all related to the plugin information.
Take care.

Your not understanding me! This question isn’t really concerned with your plugin documentation necessarily!

Amazon wrote me a warning notice? They wrote me personally! This was not a general email to everyone! Do you understand?

Why would Amazon take the time to address me personally if there were no problems with your plugin? Why does Amazon come across as it there is an underlying issue? Why does Amazon suggest that S3 may be being used in a manner not intended?

The way I read Amazon’s notice is that there are issues using your plugin.

@socialmedia,

Please contact directly AWS Support team to clarify with them the reason why did they send you a personal message.

On our plugin demo page, we have just the same security setup that we have in the plugin documentation - and there are no security issues or emails from the AWS support team.

If you have encountered any bugs with the plugin - please provide as many details as possible: plugin setup screenshots, error screenshots (debugger/console), steps to reproduce the issue.
If you have not faced any bugs with our plugin, place contact the AWS support team and clarify with them the reason for troubling you.

Regards,

Oh… if only the REAL WORLD were just that easy!

I did that already! Guess what? They told me to reach out to you guys. Now you want me to go back to them.

This is called going in circles. Or dog chasing his tail

What next?

The email from Amazon was an automated email that is sent out when you leave your s3 bucket set to public access. It wasn’t a specific warning for you. If you want tighter security on your bucket, read the AWS documentation or hire someone with the knowledge to modify your bucket permission policies. As stated in the Zeroqode documentation, they highlight the potential risk of leaving your policies too lenient and your bucket public, but they are not in the business of training us on how to use AWS. They are here to make it easier to implement a simple connection between Bubble and AWS.