We gave Amazon’s S3 storage buckets an honorable mention on our biggest data breaches of 2017 list, and in this post, we’ll explain why we did that. What makes these types of breaches so important to point out?
For those who missed it, here’s what happened: AWS users can store their files (known as objects) in what are known as S3 storage buckets. Amazon defaults these S3 buckets to be closed instead of open, but over the course of several months, reports came out of misconfigurations by third parties, government contractors and private businesses that have left a trove of sensitive information, including classified government projects, exposed for anyone with an AWS account to see. No bueno.
Other examples of sensitive data published include job resumes, scraped social media posts, and private consumer information. Security researchers have notified the Pentagon, media giant Viacom, and security firm TigerSwan of data misconfigured on S3 buckets.
Discovering these public S3 buckets used to be best left to the pros (both black and white hat alike), but it’s unfortunately become easier to look up these unsecured files. According to tech publication The Register, code to automate the discovery process has been posted to GitHub, using certificate transparency logs that make the process faster. These particular tools seem to have been posted in an effort to help companies secure their buckets, but they of course can also be used by bad actors to infiltrate a company’s secrets.
Why does this matter?
Aside from the usual implications of data theft (identity theft, fraud, loss of consumer trust, etc.), these leaks raise privacy and civil liberties issues, as well as the concern of how competent our governments and their third-party contractors are when it comes to tracking and securing data of the highest sensitivity. How can we fix this? One answer is that perhaps it shouldn’t be put in the public cloud at all.
Thankfully, Amazon has taken some steps to warn users of public-facing buckets while they are being configured. Security additions, including encryption configuration and extending permissions settings across multiple regions, also will help private data stay private. However, security researcher Chris Vickery, of Upguard, says that people are still the key flaw that can be exploited.
“If you give people the option to create an insecure storage site, then there’s always going to be someone who does it–no matter how secure they can make it if they chose,” he told The Register.
In conclusion, if you use AWS, make sure the buckets that you want kept private really are private. Despite extra security precautions on the configuration panel to confirm public buckets, it’s easy to go into auto pilot and mislabel information. If you’re nervous about potential data exposure, perhaps consider an alternative solution, such as local servers or a dedicated private cloud.