Security Experts:

Poor Configuration Puts Sensitive Data Stored in Amazon S3 Buckets at Risk

Cloud hosting and storage is increasingly popular, but many organizations are inadvertently exposing sensitive data because of a simple configuration misstep.

Businesses use Amazon Simple Storage Service (S3) to store server backups, documents, and logs, and serve Web content such as images and PDF documents. Files within S3 are organized into "buckets," and businesses can restrict who has access to the bucket itself, or the individual objects inside. Rapid7 identified 1,1951 such buckets on Amazon S3, many of which contained data which should not have been public, Will Vandevanter, a researcher at Rapid7, wrote in a blog post.

There were over 126 billion files in the nearly 2,000 public buckets on Amazon S3, Vandevanter said. Researchers reviewed a random sampling of over 40,000 publicly visible files and found many with sensitive data, Vandevanter said.

"Approximately 1 in 6 buckets are left open for the perusal of anyone that's interested," Vandevanter said. If any user can list the contents of the bucket, it is public.

If only certain S3 users can list the bucket's contents, the bucket is private. Attempts to access a private bucket will return an "Access Denied" message. A public bucket will list the first 1,000 objects to any user that asks, Vandevanter said.

In Rapid7's analysis, researchers identified personal photos from a medium-sized social media service; sales records and account information for a large car dealership; employee personal information and member lists across various spreadsheets; unprotected database backups containing site data and encrypted passwords; and PHP source code including configuration files, which contain usernames and passwords, among others.

There were a lot of publicly available log files, image files, and over 5 million text documents. A "surprising amount" contained login credentials or was marked as "Confidential" or "Private," Vandevanter said.

Even if the individual files are locked down, a list of files can reveal sensitive information, such as names of customers and how frequently servers are being backed up.

"The worst case scenario is that a bucket has been marked as 'public,' exposes a list of sensitive files, and no access controls have been placed on those files," Vandevanter said.

The data could be used to stage a network attack, compromise user accounts, or sell on the black market, Vandevanter said.

"A public bucket is not a risk created by Amazon but rather a misconfiguration caused by the owner of the bucket," Vandevanter said.

Amazon S3 customers should check if they own one of the open buckets and consider whether any of the data stored inside can pose a risk to the business. Amazon also has information available to help secure the buckets.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.