AWS to Users: Secure Your S3 Buckets -- AWSInsider

AWS to Users: Secure Your S3 Buckets

By David Ramel
07/24/2017

Amazon Web Services Inc. (AWS) has taken to warning customers to secure their S3 storage buckets in the wake of several reports of confidential information being exposed on wide-open data stores.

Security firms have repeatedly warned of the dangers of S3 buckets with loose access controls, with at least one -- UpGuard Inc. -- dedicating a team to search out such exposed troves and publicize each finding, explaining what data was accessibile and what attackers could do with it.

Despite having published much security best practices guidance on its site to explain proper configuration, the problem is being publicized so often that AWS is providing more such guidance via e-mail, according to several recent reports.

A Reddit user posted the purported contents of one such e-mail, which reads:

Hello,

We're writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow read access from any user on the Internet. The list of buckets with this configuration is below.

By default, S3 bucket ACLs allow only the account owner to list the bucket or write/delete objects; however, these ACLs can be configured to permit public read access. While there are reasons to configure buckets with public read access, including public websites or publicly downloadable content, recently there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow public read access but were not intended to be publicly available.

We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects visible to users that you don't intend. Bucket ACLs can be reviewed in the AWS Management Console (http://console.aws.amazon.com ), or using the AWS CLI tools. ACLs permitting "All Users" grant public read access to the related content.

For more information on configuring your bucket ACLs, please visit: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html

For additional assistance reviewing your bucket ACLs, please visit http://aws.amazon.com/support to create a case with AWS Developer Support.

Your list of buckets configured to allow read access from anyone on the Internet are: [redacted]

Several readers confirmed the content of the AWS e-mails (as did at least one user on Twitter), and one responded with: "They've been presumably sending these out because S3 has been in the news basically every week at the moment regarding people storing databases or database backups containing sensitive data in public buckets with little/no security attached. I think it's a good reminder as this is happening all the time right now but I'm not sure how effective it will be since a lot of smaller orgs I know using AWS still don't have a good grasp of ACLs and bucket policies."

When contacted about the e-mails by CRN, a spokesperson replied: "With some recent public disclosures by third parties of Amazon S3 bucket contents that customers inadvertently configured to allow public access, we wanted to be proactive about helping customers make sure they don't have bucket access they didn't intend."

Here are some recent examples of exposed S3 buckets:

UpGuard last week publicized the finding of a misconfigured S3 bucket that exposed data concerning millions of Dow Jones & Company customers (see "Yet Another Misconfigured Amazon S3 Bucket Exposes Dow Jones Customer Data").
UpGuard earlier this month reported finding exposed account data -- including account PINs -- concerning Verizon customers (see "Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data").
UpGuard in June reported another S3 misconfiguration exposing the data of nearly 200 million voters, left open by a company working for the Republican National Committee (RNC) (see "AWS S3 Misconfiguration Leaks Personal Info of Nearly 200 Million Voters.")
Appthority recently found nearly 43 TB of enterprise data was exposed on cloud back-ends, including personally identifiable information (see "Firm Finds Terabytes of Unsecured Data, Personal Info on Cloud Back-Ends").
In May, RedLock Inc. published a research report finding many security issues primarily caused by user misconfigurations on public cloud platforms, with AWS figuring prominently (see "Security Firm: No Encryption on 82 Percent of Public Cloud Databases").
In April, an analysis of AWS cloud usage by Threat Stack Inc. revealed widespread critical AWS security misconfigurations affecting nearly three-quarters of more than 200 surveyed organizations (see "Security Analysis Shows Widespread Critical AWS Misconfigurations").