Are Your S3 Buckets Leaking?
Amazon arguably democratized internet storage with Simple Storage Service (S3). As its name suggests, S3 is simple to use. Amazon even named the storage objects attached to accounts "buckets" — lending to user-friendly imagery.
In making their storage platform easy enough to allow anyone to store their data in the cloud, Amazon made it supremely easy to leave those data open to the public.
Through a few common mistakes, your S3 buckets could be left open to the public, creating a free-for-all for anyone who wants to poke around. This kind of exposure is bad. Very bad. Imagine removing the front door from your house, only to discover later that your silverware is missing and you have strangers living in your basement.
Yeah, the business equivalent could happen to you and your data stored in AWS's cloud.
Luckily, there are a couple of easy fixes you can use to make sure you don't have the next bucket blooper on your hands. There are also default fixes and enhancements that AWS has implemented themselves. With these solutions in your back pocket, your buckets won't be left open — and your cloud services will grow stronger and, importantly, more secure.
Why are all these S3 buckets open?
Unintentional misconfigurations are the main culprit. It's as simple as that. Someone accidentally opened a bucket and no one noticed. (Well, maybe not no one. No one internally, at least.) Amazon has a visual alert that tells an AWS S3 bucket owner that a bucket is open and accessible to the internet. And it sits right next to each of your buckets, clearly displaying whether it's accessible. These are called "Permission Checks."
You might open a bucket to collaborate and someone else noticed. There are legitimate cases where a company might want to leave a bucket open for another team. Less-than-vigilant admins might not bother with user group permissions and open up the entire thing. But now, anyone can access that bucket's data.
You didn't encrypt your data. Luckily, Amazon recently started encrypting bucket contents as a default. Encrypting goes a long way toward creating buckets that come out of the gate with a lower chance of detection. Unauthorized internet trawlers looking to cause mischief with open S3 buckets are left twiddling their thumbs. Amazon wrote a full blog post on all of their security updates detailing the changes.
Consider Robocent, the political automated telephone service, which recently left the door open on an S3 bucket that included the names, date of birth, and telephone numbers of thousands of voters. Even more alarming is that all of this information was indexed into grayhatwarfare soon afterward.
The idea behind this site, and others like it, is to raise awareness about the S3 open bucket issue that plagues some AWS customers. Unfortunately, for those affected companies, increased awareness comes at the cost of exposing their S3 bucket status to the rest of the world.
What can happen to an open S3 bucket?
The first and most obvious problem that an open S3 bucket presents is data leakage. Unscrupulous individuals plunder the files that are accessible, which they can use to mine data with, start phishing scams, and engage in cybercrime. If there is enough information housed in the exposed files, someone can access sensitive financial records and systems.
The level of disaster that your company could endure is on par with the level of targeted confidential information: The sky is the limit.
The Dow Jones breach from last year and the more recent Fedex incident highlighted the fact that even giants in the business world can get S3 implementation wrong. You could easily do the same without realizing it.
Tesla also had an AWS service blunder of their own earlier this year when sneaky crypto miners managed to sneak into their Kubernetes instances. The cunning cybercriminals were able to mask this activity by executing their scripts from behind CloudFlare services, giving them anonymity and ill-gotten cryptocurrency. There are financial implications for using cloud resources, which means Tesla ended up with quite a bill for that lapse in security.
Anyone can slip up and leave a bucket open for viewing, even these big-name organizations. Luckily, there are ways for anyone using AWS S3 to keep an eye on their buckets, open or otherwise.
Wait… Did someone copy my S3 bucket?
AWS has a whole host of tools that help you keep tabs on your buckets — through the logging and monitoring systems that they have in place.
For starters, S3 buckets need to have Server Access Logging features enabled, which gives you a clear picture of all the requests that come through to that resource. CloudTrail is another potential solution. It logs all changes to policies in the S3 instance. If you set up your buckets and somebody makes a change, then you should know all about it.
You can also track and trace all activity from applications that are accessing your S3 resources. Through the implementation of IDS, you can start tracking down application usage requests as well. This process should alert you to any suspicious access and behavior as it occurs.
What more can I do?
There are plenty of things that you can do right away to prevent this kind of exposure from affecting your AWS services.
Remember the phrase "too many cooks spoil the broth?" Well, when S3 was first implemented, it was done before EC2 and IAM existed. As AWS grew in size and sophistication, so did the way you can figure S3 buckets, and some policies override others. This can create confusion for inexperienced AWS users that might not know what they are doing yet.
To tackle the new and improved S3 bucket configuration process, you need what we're going to call a "bucket list." Below you'll find the first steps to take to lock and load your buckets:
- Enable auditing for open buckets
- Ensure that encryption is enabled
- Use SSL and Enable Secure Transport in AWS
- Enable logging
- Track all S3 changes
- Be ready to close buckets
These are all sensible approaches to preserving your S3 bucket security and should be at least considered, if not implemented, to keep your files safe and secure.
The critical take away from all this is that you and your team need to familiarize yourselves with the potential ramifications that can result from using an unsecured S3 bucket.
It's been proven by countless big-name organizations that there's a potential for irreparable damage of both individual and company images — in the blink of an eye.
Remember when it comes to S3 buckets that there is plenty of support and information online. If you aren't sure about your current S3 bucket status, then you need to find out — before it's too late.