Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Poor Configuration Puts Sensitive Data Stored in Amazon S3 Buckets at Risk

Cloud hosting and storage is increasingly popular, but many organizations are inadvertently exposing sensitive data because of a simple configuration misstep.

Cloud hosting and storage is increasingly popular, but many organizations are inadvertently exposing sensitive data because of a simple configuration misstep.

Businesses use Amazon Simple Storage Service (S3) to store server backups, documents, and logs, and serve Web content such as images and PDF documents. Files within S3 are organized into “buckets,” and businesses can restrict who has access to the bucket itself, or the individual objects inside. Rapid7 identified 1,1951 such buckets on Amazon S3, many of which contained data which should not have been public, Will Vandevanter, a researcher at Rapid7, wrote in a blog post.

There were over 126 billion files in the nearly 2,000 public buckets on Amazon S3, Vandevanter said. Researchers reviewed a random sampling of over 40,000 publicly visible files and found many with sensitive data, Vandevanter said.

“Approximately 1 in 6 buckets are left open for the perusal of anyone that’s interested,” Vandevanter said. If any user can list the contents of the bucket, it is public.

If only certain S3 users can list the bucket’s contents, the bucket is private. Attempts to access a private bucket will return an “Access Denied” message. A public bucket will list the first 1,000 objects to any user that asks, Vandevanter said.

In Rapid7’s analysis, researchers identified personal photos from a medium-sized social media service; sales records and account information for a large car dealership; employee personal information and member lists across various spreadsheets; unprotected database backups containing site data and encrypted passwords; and PHP source code including configuration files, which contain usernames and passwords, among others.

There were a lot of publicly available log files, image files, and over 5 million text documents. A “surprising amount” contained login credentials or was marked as “Confidential” or “Private,” Vandevanter said.

Even if the individual files are locked down, a list of files can reveal sensitive information, such as names of customers and how frequently servers are being backed up.

Advertisement. Scroll to continue reading.

“The worst case scenario is that a bucket has been marked as ‘public,’ exposes a list of sensitive files, and no access controls have been placed on those files,” Vandevanter said.

The data could be used to stage a network attack, compromise user accounts, or sell on the black market, Vandevanter said.

“A public bucket is not a risk created by Amazon but rather a misconfiguration caused by the owner of the bucket,” Vandevanter said.

Amazon S3 customers should check if they own one of the open buckets and consider whether any of the data stored inside can pose a risk to the business. Amazon also has information available to help secure the buckets.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.