AWS Warns Users To Secure Storage Buckets
In the wake of several high-profile data leaks, Amazon Web Services warned customers Wednesday to re-examine S3 storage drives with policies allowing their contents to be shared with the world.
AWS sent emails to an undisclosed number of customers, pointing out to them the S3 buckets in their accounts that have no controls barring public access, and advising them to make sure those object storage drives shouldn't be secured. The warnings were first reported by TechTarget.
While certain data needs to be publicly accessible, vulnerabilities recently discovered that put in jeopardy the privacy of customers of Verizon, Dow Jones, WWE, as well as voters, have shined a massive spotlight on a growing problem.
[Related: How Private Is Your Public Cloud? Stacking Up Google, Microsoft And AWS Data Privacy]
An AWS spokesperson told CRN: "With some recent public disclosures by third parties of Amazon S3 bucket contents that customers inadvertently configured to allow public access, we wanted to be proactive about helping customers make sure they don’t have bucket access they didn’t intend."
David Klee, founder and chief architect at Heraflux Technologies, an AWS partner based in Scarborough, Maine, told CRN, "We cannot stress enough to our clients that open buckets are the worst possible security mechanism they can possibly leave exposed."
Klee said he hasn't heard from any Heraflux customers that have received email warnings.
Tolga Tarhan, founder and CTO of Sturdy Networks, an AWS partner based in Irvine, Calif., has seen Amazon's warning to avoid accidentally exposing data through misconfigured S3 buckets issued to some customers.
"Customers should work with experienced AWS partners to audit their S3 usage and ensure all best practices," Tarhan said. That includes more than just the access policies referenced in the AWS emails.
An S3 bucket is just a cloud drive set up in an AWS region for object storage. Each bucket has its own Access Control List (ACL) by which users administer policies.
One email from AWS posted on Twitter by Uranium238, a security penetration tester, described to the customer buckets with public access (the screen shot didn't reveal those URLs), and offered a reminder that by default those ACLs are not configured for "world access"—meaning open to all over the internet.
The AWS email noted that for some use cases it's necessary and perfectly acceptable to not impose any controls, such as public websites or content intended to be downloadable by all who want it.
But, the email continued, recently "there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available."
Dave Thompson, CTO of RightBrain Networks, an AWS-aligned cloud consultancy based in Ann Arbor, Mich., said the warnings come on the heels of a "recent spate of large, high-profile organizations experiencing some embarrassment due to improperly shared data in S3."
Last week, the public learned that Nice Systems, a customer engagement software vendor with a large security practice, exposed personal information from 14 million Verizon customers on an unsecured S3 drive.
Just days ago, it was revealed Dow Jones & Company, parent of The Wall Street Journal, allowed semi-public access to personal and financial data of 2.2. million customers.
It also became known to the public earlier this month that a misconfigured database stored on a publicly accessible cloud server exposed 200 million voter records culled by the Republican National Committee. Another recent incident with a WWE account threatened the confidentiality of 3 million wrestling fans, including their addresses and ethnicities.
All those potential data breaches happened on AWS S3 storage accounts and were discovered by private security researchers. In light of them, "it's natural AWS would put out a public service bulletin on the subject," Thompson told CRN.
There are two ways such data leaks happen, Thompson explained.
Either the ACL is configured improperly for the bucket, allowing more access than the administrator intended; or files with the wrong security scope are accidentally uploaded to a bucket.
Setting up a bucket with the wrong ACL, he said, is "easy to do and easy to miss in a review if you're not careful."
"I suspect we'll continue to see these incidents occur from time to time. I think this is just the new normal. These incidents are largely preventable, but that requires a level of operations controls that many companies haven't yet achieved," RightBrain Networks' Thompson said.
The situation is exacerbated, he said, by the increasing prevalence in the enterprise of Shadow IT—unsanctioned cloud software, like storage drives, that's out of the control of the IT department.
Heraflux's Klee said S3 buckets containing files and folders typically have easy-to-guess domain names. And there's plenty of brute-force scanning software available online to scour the internet for them, he added.
"As soon as these things find an open bucket, your data is now wide open," Klee told CRN.
And once a bucket is exposed and analyzed, related domains can be discovered to find new vulnerabilities through which intruders penetrate even deeper, he said.
Those threats to privacy and security are not the fault of Amazon, Klee said, but of "sloppy" IT administrators. It's not that difficult to avoid such dangerous situations.
Klee said it took him about five seconds to find a script that will search for files in exposed buckets and warn IT administrators.