Connect with us

Hi, what are you looking for?


Cloud Security

Poor Configuration Puts Sensitive Data Stored in Amazon S3 Buckets at Risk

Cloud hosting and storage is increasingly popular, but many organizations are inadvertently exposing sensitive data because of a simple configuration misstep.

Cloud hosting and storage is increasingly popular, but many organizations are inadvertently exposing sensitive data because of a simple configuration misstep.

Businesses use Amazon Simple Storage Service (S3) to store server backups, documents, and logs, and serve Web content such as images and PDF documents. Files within S3 are organized into “buckets,” and businesses can restrict who has access to the bucket itself, or the individual objects inside. Rapid7 identified 1,1951 such buckets on Amazon S3, many of which contained data which should not have been public, Will Vandevanter, a researcher at Rapid7, wrote in a blog post.

There were over 126 billion files in the nearly 2,000 public buckets on Amazon S3, Vandevanter said. Researchers reviewed a random sampling of over 40,000 publicly visible files and found many with sensitive data, Vandevanter said.

“Approximately 1 in 6 buckets are left open for the perusal of anyone that’s interested,” Vandevanter said. If any user can list the contents of the bucket, it is public.

If only certain S3 users can list the bucket’s contents, the bucket is private. Attempts to access a private bucket will return an “Access Denied” message. A public bucket will list the first 1,000 objects to any user that asks, Vandevanter said.

In Rapid7’s analysis, researchers identified personal photos from a medium-sized social media service; sales records and account information for a large car dealership; employee personal information and member lists across various spreadsheets; unprotected database backups containing site data and encrypted passwords; and PHP source code including configuration files, which contain usernames and passwords, among others.

There were a lot of publicly available log files, image files, and over 5 million text documents. A “surprising amount” contained login credentials or was marked as “Confidential” or “Private,” Vandevanter said.

Advertisement. Scroll to continue reading.

Even if the individual files are locked down, a list of files can reveal sensitive information, such as names of customers and how frequently servers are being backed up.

“The worst case scenario is that a bucket has been marked as ‘public,’ exposes a list of sensitive files, and no access controls have been placed on those files,” Vandevanter said.

The data could be used to stage a network attack, compromise user accounts, or sell on the black market, Vandevanter said.

“A public bucket is not a risk created by Amazon but rather a misconfiguration caused by the owner of the bucket,” Vandevanter said.

Amazon S3 customers should check if they own one of the open buckets and consider whether any of the data stored inside can pose a risk to the business. Amazon also has information available to help secure the buckets.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...