Security news that informs and inspires

Exposed AWS Resources Leaked Sensitive Data

By

Amazon Web Services (AWS) is a widely-used cloud computing provider for organizations of all sizes, offering convenient, scalable hosting for development, databases and more. Amazon S3 buckets aren't the only data repositories that can leak data because of the organization's configuration errors. Other cloud services on the AWS platform are often found accessible by anyone on the Internet.

S3 Bucket Exposure

Security researchers have discovered that many Amazon S3 buckets (object storage for large amounts of data for websites, apps, data, etc.) are also left open to the internet, sometimes intentionally for ease of access to share information between businesses and contractors, or because the data is intended to be public-facing, like content on a website. And sometimes this exposure is unintentional - AWS users might think that no one will find the data made public.

However, there is sensitive data that has been found. A few examples of this type of data that have been found public include classified drone and battlefield satellite intelligence and administrator credentials to sensitive systems; sensitive personal data of nearly 200 million American voters; a major telecom company’s proprietary technical information - including middleware, production logs, server architecture details, login credentials and more; and terabytes of classified data from the Pentagon that included a contractor's private encryption keys for hashed passwords and software for an intelligence platform.

Data Backup Leakage

Elastic Block Store (EBS) provides highly-available block-level storage volumes that are used with EC2 instances. EBS snapshots are point-in-time backups of EC2s, used for disaster recovery solutions. For example, in the event of a ransomware attack, you might need to quickly access a backup of your organization's data for business continuity purposes.

These snapshots are typically moved or need to be accessed elsewhere, which is where the problem lies, as AWS Security Consultant Scott Piper, working on behalf of Duo, explained.

Some AWS users make these snapshots public so they can easily access them. As a result, Piper found 116,386 publicly available EBS snapshots exposed to the internet, from 3,213 different accounts.

While sometimes there are reasons to make snapshots public, there are many types of sensitive data that can be searched and found in them. According to research from cloud solutions provider NTEH, they were able to find a lot of different types of publicly available data in EBS snapshots using automated searches.

They found a variety of different types of sensitive data, including genome sequences in snapshots owned by top-ranking U.S. universities; TLS/SSL certificates and web server configurations that could allow for potential man-in-the-middle (MiTM) attacks; SSH keys, AWS security credentials and API access keys from a Fortune 100 company and source code of proprietary applications.

NTEH recommends never sharing unencrypted EBS snapshots publicly, even for a short period of time, and limiting the amount of users with shared access.

Additional AWS Resources Exposed

In addition to S3 bucket data and EBS snapshots, there are many other AWS resources that were found publicly available as a result of Piper’s research:

Relational Database Service (RDS) Snapshots

Finding: 373 public Relational Database Service (RDS) snapshots from 227 accounts

Amazon Relational Database Service (RDS) allows you to set up, scale and manage relational databases in the cloud. Examples of Amazon RDS uses include managing automated backups, software patching, automatic failure detection and recovery. RDS creates and saves a storage volume snapshot of your entire database (DB) instance (not just individual databases).

Amazon warns against including private information in any publicly-shared unencrypted RDS (also referred to as database or DB) snapshots. In April 2017, the RedLock security research team found several thousand databases containing sensitive data, including healthcare and personally identifiable information, such as email messages, encrypted passwords, customer and employee records and more.

This data was found publicly available due to a common misconfiguration in RDS and EBS snapshots. RDS snapshots may be shared publicly on accident due to a misconception that sharing unencrypted RDS snapshots only extends to internal users within their organization, when, in fact, the permission allows anyone with AWS credentials to access the RDS snapshot. Another reason is some developers may not take the time to create granular access policies, choosing instead to opt for the ease of making an RDS snapshot public.

Amazon Machine Images (AMIs)

Finding: 711,598 public Amazon Machine Images (AMIs) from 20,952 accounts

An Amazon Machine Image (AMI) is a type of virtual appliance used for deploying services that use EC2. AMIs include configurations for EC2 instances, including a template for the root volume for the instance (like an operating system, application server and applications), permissions that control which AWS accounts are allowed to launch instances, and a block device that maps specific volumes to attach to the instance once launched.

Multiple users may be able to launch instances using the AMI, and users can make their own custom AMI public to allow the wider developer community to use it, known as shared AMIs. This makes AMIs the more commonly, intentionally shared AWS resource.

However, Amazon warns that they can't vouch for the integrity or security of shared AMIs - use at your own risk. It’s also possible to share an AMI with only specific AWS accounts using explicit launch permissions via the AWS console, without making it public.

ElasticSearch Clusters

Finding: 16,000 public IPs of exposed AWS-managed ElasticSearch clusters that could have their contents stolen or data possibly deleted.

“We discovered 95K public IPs associated with AWS-managed ElasticSearch clusters,” wrote Piper. “Many of these are locked down in some way and will return an HTTP code of 403, meaning Forbidden, but by filtering on HTTP 200 codes, we found 16K public IPs of exposed AWS-managed ElasticSearch clusters that could have their contents stolen or possibly data deleted. This means 17% of AWS-managed ElasticSearch servers with public IPs were misconfigured.

ElasticSearch is used to store logs and text documents. Researchers have found tens of thousands of instances publicly exposed, and recently, attackers have taken to encrypting public databases, leaving a ransom note for the owners.

Using identity-based policies instead of IP-based policies can help you avoid the risk of an adversary getting access to systems within your IP range, as recommended by Piper. ElasticSearch partner Itamar Syn-Hershko of code972 also stated, "There is no reason in the world to set ElasticSearch to listen to a public IP or a publicly-accessible DNS name."

Other tips to keep ElasticSearch clusters secured include disable features you don't need, disable dynamic scripting to avoid malicious scripts, don't use default ports and more from code792.