Security news that informs and inspires

Securing Access to Data Stored in Amazon S3 Buckets


While ransomware appears to remain the topic du jour in the media, there’s another problem that isn’t quite as flashy but still irrevocably damaging - misconfigured access to Amazon S3 buckets.

Basically, that refers to massive amounts of customer/and or personal data, often sensitive, left unprotected in virtual cloud storage.

What is Amazon S3?

Amazon Simple Storage Service (S3) is a virtual web storage service offered through Amazon Web Services (AWS) that allows for storing and retrieving of data from any source, including websites, mobile apps, data from interconnected devices and sensors, etc.

It can be used to collect, analyze, visualize and otherwise process very large amounts of data (i.e., exabytes - one quintillion bytes). It can be used for backup and recovery, data archiving, big data analytics, cloud storage, disaster recovery and many other use cases.

More specifically, S3 buckets refer to the logical unit of storage used in AWS - buckets are used to store objects, consisting of data.

Exposing Cloud Data to the Internet

There have been countless examples of misconfigured access to these buckets containing massive amounts of sensitive data, which is significant since S3 buckets are, by default, configured for private access.

Just in the past few months alone, there have been at least half a dozen significant incidents involving the exposure of millions of personal records:

  • Twenty-five terabytes of data stored in a data analytic provider’s AWS cloud account were found unprotected, exposing information on nearly 200 million potential voters
  • A private military contractor and third-party recruiting vendor leaked job applicant information of thousands of U.S. military veterans, as well as Iraquis and Afghanis working alongside the military
  • A major mobile carrier exposed 6 million customer service call records found on a publicly accessible S3 repository, administered by a third-party vendor
  • An entertainment company left three million users’ personal information on an unsecured server, in plain text
  • A worldwide publishing and financial firm exposed 2-4 million customer records on some semi-public S3 buckets
  • A large cable television provider left an unsecured AWS server containing millions of app users’ data exposed without a password

This pattern may indicate a few distinct issues in the network security of companies across all sizes and industries - either the lack of awareness of the real dangers of misconfigured access to data stored in the cloud, or potentially the lack of insight into third-party vendors’ security practices.

Misconfigured Access to Amazon S3 Buckets

In July, a blog post by Detectify identified a few different ways they could break into websites and data due to weak configurations of S3 buckets.

Due to a common misconfiguration of S3’s Access Control Lists (ACLs), attackers can gain access to S3’s list and read files by using the S3 bucket name information and an AWS Command Line tool to talk to Amazon’s API.

Network administrators often grant too much user permission to S3 buckets, allowing anyone with AWS credentials to access sensitive data, according to Threatpost.

How to Properly Secure Access to Data Stored in the Cloud

For Amazon S3 buckets, all resources are private by default. Only the resource owner (the AWS account that creates the resource) can access it.

By setting bucket and object access permissions, a resource owner can specify which users can access buckets and objects, as well as the type of access they can have (i.e., read-only or read and write).

AWS’s documentation provides more information on managing access and setting access permissions to secure Amazon S3:

As noted in a Medium article, How to Secure An Amazon S3 Bucket by Mark Nunnikhoven, VP of Cloud Research at Trend Micro, “there are multiple avenues to grant permissions” and thus “multiple areas to make simple mistakes that might cause a leak…” He recommends never allowing public access to an S3 bucket, and instead providing granular access through IAM roles.

MFA & Policies for Stronger AWS Access Security

To add an extra layer of security to your AWS accounts and protect access to your AWS resources, Amazon recommends using multi-factor authentication (MFA). Learn more about Using Multi-Factor Authentication (MFA) in AWS.

They caution that enabling MFA for root users only affects the root user credentials - other IAM (Identity and Access Management) users are distinct users with their own credentials and therefore their own MFA configurations.

In addition to adding multi-factor authentication, checking the security health of the device accessing your environment is also important. Many known vulnerabilities leverage weaknesses found in older versions of operating systems, browsers, plugins, and other software to compromise the device and gain access to your applications and data. Ensuring both the trust of the user and device is part of a new approach to enterprise architecture to help address risks beyond the traditional network perimeter.