YES3 Scanner: Open-source S3 security scanner for public access, ransomware protection

YES3 Scanner is an open-source tool that scans and analyzes 10+ different configuration items for your S3 buckets in AWS. This includes access such as public access via ACLs and bucket policies – including the complex combinations of account and bucket settings that can make a S3 bucket effectively public.

“We built this tool after realizing potential users needed a better way to scan their S3 resources for access and ransomware protection. We wanted to have a tool that not only scans for access issues with S3, but also checks for additional layers of security including helping to prevent against ransomware,” Jason Kao, Founder of Fog Security, told Help Net Security.

When evaluating the current landscape of both paid and free tools for assessing S3 security, Kao and his team found significant gaps. “We noticed issues with existing tools and even security and compliance frameworks, including false negatives, false positives, misleading and incomplete results,” he said.

Compounding the challenge, AWS has introduced features like default encryption, Block Public Access, and the ability to disable ACLs in recent years. While these enhancements offer additional layers of protection, Kao noted they can also complicate efforts to understand an organization’s true data security posture in AWS.

That complexity is exactly what the YES3 Scanner aims to tackle. “The uniqueness of YES3 Scanner comes from our understanding of how the different S3 configuration items work with each other,” Kao explained. He added that many tools in the market fall short by offering only a partial picture. “Security requires a comprehensive and complete understanding of all relevant configuration items,” he said. “That’s why we developed YES3.”

YES3 Scanner checks for the following S3 configuration items:

• Bucket Access Control Lists (ACLs)
• Bucket Policy (Resource-Based Policy)
• Bucket Website Settings
• Account Public Access Block
• Bucket Public Access Block
• Disabled ACLs (via Ownership Controls)
• Bucket Encryption Settings
• Object Lock Configuration
• Bucket Versioning Settings
• Bucket Lifecycle Configuration

Future plans and download

“Our future plans are to include more analysis on S3 and cloud configuration such as logging to help provide holistic security against access and ransomware in the cloud. We also plan to listen to what users request to see how we can enhance the tool for their use cases. Additionally, we plan on building more detailed layers of protection – including both at the multi-account (organizational) level and at the object/data level in S3,” Kao explained.

YES3 Scanner is available for free on GitHub. More information is in this blog.

Must read:

• GitHub CISO on security strategy and collaborating with the open-source community
• Don’t let these open-source cybersecurity tools slip under your radar
• 33 open-source cybersecurity solutions you didn’t know you needed

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!