Subscribe to Email Updates

Subscribe

buckets

Amazon Battles Leaky S3 Buckets with a New Security Tool

By Graham Cluley on Dec 07, 2019 | 0 Comments

Anyone who has been following security trends in recent years cannot fail to have noticed the preponderance of data breaches which have stemmed from unsecured Amazon S3 buckets.

Many well-known organisations, including FedEx, Capital One bank, Verizon, and even US defense contractors, have left confidential and sensitive data publicly exposed by not having properly configured the security of their cloud-based storage servers.

In fact, the problem became so bad that some security researchers have even been known to leave "friendly warnings" on exposed servers when they came across them, advising their owners to review their settings.

friendly-warning

In late 2017, Amazon Web Services (AWS) announced that it was introducing "bright orange pill" warnings onto server administrators' dashboards warning them if buckets had been configured to be publicly accessible.

orange-pill

That was a positive step, but the continuing revelations of privacy-busting data breaches from unsecured storage servers meant that more still needed to be done.

This week Amazon announced its newest feature - the AWS Identity & Access Management Access Analyzer - that, amongst other things, monitors S3 bucket access policies and provides alerts if you have a cloud-storage bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts.

analyzer

In short, the new feature is supposed to help avoid accidental misconfigurations that could result in sensitive data being exposed, and subsequently damaging a company's brand and even - potentially - putting its customers at risk.

If the Access Analyzer tool discovers that a bucket is misconfigured you can respond to the alert by making a single click to "Block All Public Access," and then use the tool's report to understand the nature of the problem so you can fully address it.

Of course, it's perfectly possible that there is data on your AWS cloud servers which is supposed to be shared on the general internet (webpages, for instance), and these can be marked as intentionally public to avoid repeat warnings.

Aside from Amazon S3 buckets, IAM Access Analyzer can also analyse the permissions granted using policies for your AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions.

As ever with security, you would be wise to follow the principle of least privilege, granting only the permissions required to perform a particular task and no more.

To enable the feature, administrators should visit their IAM console and enable the AWS Identity and Access Management (IAM) Access Analyzer. It will then appear in the S3 Management Console.

It's clearly a good thing that Amazon has developed an additional tool to help protect companies from leaking data through servers they have configured poorly.  But an alert is only half the battle - we still need companies to understand the severity of the issue and tackle it promptly when it is brought to their attention.

Share This Post On

Author: Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.