In the wake of several high-profile data leaks, Amazon Web Services warned customers to re-examine S3 storage drives with policies allowing their contents to be shared with the world.
AWS sent emails to an undisclosed number of customers, pointing out to that S3 buckets in their accounts that have no controls barring public access, and advising them to make sure those object storage drives shouldn't be secured. The warnings were first reported by TechTarget.
While certain data needs to be publicly accessible, vulnerabilities recently discovered that put in jeopardy the privacy of customers of Verizon, Dow Jones, WWE, as well as voters, have shined a massive spotlight on a growing problem.
An AWS spokesperson told CRN USA: "With some recent public disclosures by third parties of Amazon S3 bucket contents that customers inadvertently configured to allow public access, we wanted to be proactive about helping customers make sure they don’t have bucket access they didn’t intend."
An S3 bucket is just a cloud drive set up in an AWS region for object storage. Each bucket has its own Access Control List (ACL) by which users administer policies.
One email from AWS posted on Twitter by Uranium238, a security penetration tester, described to the customer buckets with public access (the screen shot didn't reveal those URLs), and offered a reminder that by default those ACLs are not configured for "world access"—meaning open to the internet.
The AWS email noted that for some use cases it's necessary and perfectly acceptable to not impose any controls, such as public websites or content intended to be downloadable by all who want it.
But, the email continued, recently "there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available."
Last week, the public learned that Nice Systems, a customer engagement software vendor with a large security practice, exposed personal information from 14 million Verizon customers on an unsecured S3 drive.
Just days ago, it was revealed Dow Jones & Company, parent of The Wall Street Journal, allowed semi-public access to personal and financial data of 2.2. million customers.
It also became known to the public earlier this month that a misconfigured database stored on a publicly accessible cloud server exposed 200 million voter records culled by the Republican National Committee. Another recent incident with a WWE account threatened the confidentiality of 3 million wrestling fans, including their addresses and ethnicities.
All those potential data breaches happened on AWS S3 storage accounts and were discovered by private security researchers. In light of them, "it's natural AWS would put out a public service bulletin on the subject", Dave Thompson, chief technology officer of US-based RightBrain Networks, told CRN USA.
There are two ways such data leaks happen, Thompson explained.
Either the ACL is configured improperly for the bucket, allowing more access than the administrator intended; or files with the wrong security scope are accidentally uploaded to a bucket.
Setting up a bucket with the wrong ACL, he said, is "easy to do and easy to miss in a review if you're not careful".
"I suspect we'll continue to see these incidents occur from time to time. I think this is just the new normal. These incidents are largely preventable, but that requires a level of operations controls that many companies haven't yet achieved," RightBrain Networks' Thompson said.
The situation is exacerbated, he said, by the increasing prevalence in the enterprise of shadow IT—unsanctioned cloud software, like storage drives, that's out of the control of the IT department.