For businesses with data to store, Amazon Web Services can be great. The cloud provider’s S3 storage buckets are relatively inexpensive, can spin up and down quickly, scale easily, and are backed up and secured by Amazon itself, making them easy to manage.
But the ease of management and deployment is a double-edged sword. If the access credentials leak, or the buckets are set to public access, the data becomes accessible to anyone in the world.
This isn't just a theoretical threat. Last year, Accenture accidentally allowed public access to a database containing 40,000 passwords and other client credentials stored in S3 buckets. Other companies that left their buckets open to the public included Dow Jones, Verizon, and military intelligence agency INSCOM. Uber stored personal information on 57 million users on Amazon, hackers got in, and the ride-hailing company ended up paying off the hackers to hide news of the leak.
Cloud security company RedLock recently found 250 organizations leaking credentials to their cloud AWS environments.
In fact, according to a report by RedLock, 53 percent of organizations that use cloud storage services like Amazon S3 have accidentally exposed at least one such service to the public.
Ubiquitous, Easy, Secure
AWS Simple Storage Service, or S3, is viewed as the gold standard for inexpensive, reliable cloud storage, said Greg Arnette, director of data protection platform strategy at Barracuda Networks.
"After over a decade of use there are no known examples of data loss or corruption," he said. "Some half-jokingly refer to S3 as the ninth wonder of the world, since the service has become a ubiquitous storage medium for organizations around the globe."
Companies have the option of setting these buckets for private use only, so that only they themselves or other approved users can see the data. They can also set them to public use, so that anyone can access them. For example, a company can store its product photographs in an AWS bucket, so that they can be easily embedded in any website.
Sometimes, users set buckets to public access, even though they contain private data, thinking that just because nobody knows the exact address of the bucket, they won't access it.
That's a mistake.
"Hackers routinely scan for open AWS S3 buckets looking for data treasure troves to exploit," Arnette said.
Customers often don't realize that just because Amazon takes care of security for its cloud platform, it doesn't mean that all the security problems are solved.
All the security in the world won't stop someone with legitimate credentials from accessing the data. And if the data is set to allow public access, they don't even need credentials.
"Amazon says it is responsible for security of the cloud, and that their customers are responsible for security in the cloud," Ben Johnson, CTO at Obsidian Security, said. "A lot of their customers don’t understand this. Enterprises need to make sure they are maintaining access control lists properly, performing quality assurance on configurations and policies, and auditing who has access to what."
To address this problem, companies can set an AWS Identity Access Manager top-down policy to lock down all buckets by default and make exceptions only when buckets need to be accessible to the public.
If a company has multiple AWS accounts, they should also be using Amazon's AWS Organizations feature to bring them all into one central management console.
Companies should also use AWS Guard Duty to analyze S3 bucket permissions and get alerts whenever a bucket is set to public access.
Finally, there's AWS CloudTrail, an Amazon service for governance, compliance, operational auditing, and risk auditing.
There are also third-party products and services available to help with security reports and alerts, said Barracuda Networks' Arnette.
Fortunately, Amazon has been paying attention to the news reports, and has taken steps to make security easier. Buckets are set to private by default, with bright orange icons that say "Public" for the buckets that are open to all. Plus, if a user decides to change a bucket from private to public, a warning message comes up, saying, "We highly recommend that you never grant any kind of public access to your S3 bucket."
Last fall, Amazon also began letting organizations specify that all their buckets are encrypted by default.
Judging by the latest news reports, companies are still not configuring their buckets correctly. So far this year, FexEx exposed personal information of tends of thousands of users in unsecured buckets, thousands of insurance customers had their data exposed, Honda exposed 50,000 personal data records, and Los Angeles County exposed 3.2 million files containing information from calls from abuse and crisis victims.