During the past year, there has been a surge in data breach reporting regarding Amazon S3 servers left accessible online, and which were exposing private information from all sorts of companies and their customers.
In almost all cases, the reason was that companies, through their staff, left Amazon S3 "buckets" configured to allow "public" access. This means that anyone with a link to the S3 server could access, view, or download its content.
The problem is that most companies believe that if they're the only ones knowing the database's URL, they are safe. This is not true. Attackers can obtain these URLs using MitM attacks on corporate networks, accidental employee leaks, or by brute-forcing domains for hidden URLs.
While this sounds complicated, there are open-source available on GitHub that simplify the discovery of public S3 buckets, putting a large number of companies at risk.
7% of all S3 buckets have unrestricted public access
According to statistics by security firm Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted, meaning this is an endemic problem of the entire Amazon S3 ecosystem.
These lapses in security best practices have resulted in some serious breaches, from army contractors to big-time US ISPs.
Below is a (most likely incomplete) list of all the major data leaks caused by companies leaving Amazon S3 buckets configured with public access during the past few months.
⬨ Verizon partner leaks personal records of over 14 million Verizon customers, including names, addresses, account details, and for some victims — account PINs.
⬨ An AWS S3 server leaked the personal details of WWE fans who registered on the company's sites. 3,065,805 users were exposed.
⬨ Another AWS S3 bucket leaked the personal details of over 198 million American voters. The database contained information from three data mining companies known to be associated with the Republican Party.
⬨ Another S3 database left exposed only leaked the personal details of job applications that had Top Secret government clearance.
⬨ Dow Jones, the parent company of the Wall Street Journal, leaked the personal details of 2.2 million customers.
⬨ Omaha-based voting machine firm Election Systems & Software (ES&S) left a database exposed online that contained the personal records of 1.8 million Chicago voters.
⬨ Security researchers discovered a Verizon AWS S3 bucket containing over 100 MB of data about the company's internal system named Distributed Vision Services (DVS), used for billing operations.
⬨ An auto-tracking company leaked over a half of a million records with logins/passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships.
Companies that want to avoid situations like the above should review the following Amazon documentation pages and make sure they fully understand their server's permissions level:
- Overview of Managing Access
- Introduction to Managing Access Permissions to Your Amazon S3 Resources
- Managing Access Permissions to Your Amazon S3 Resources
In addition, Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro, also has a simple guide on how to secure an Amazon S3 buckets.
Comments
Occasional - 7 years ago
Thanks CC, especially for the bullet-list.
Focus on AWS or S3 Buckets, and miss the big picture.
The root causes are (fittingly), systemic: A casual attitude toward the responsibilities of data stewardship.
GT500 - 7 years ago
Did anyone else read the title, and say "Only 7%?"
I think the big issue here is that most people assume that if there's no public link to it, that no one will find it. They don't understand that someone can sit there with a port scanner and scan entire IP ranges until they find something.
Amazon's IP's aren't exactly unknown. There are databases that list exactly who owns each IP range, and all you have to do is look it up and start port scanning Amazon's IP ranges to see what's there. The entire process is scriptable as well, so you can just fire up a script and let it run, and if the script manages to get into anything that's not secured then it can be logged for later exploitation.
petermbenjamin - 7 years ago
One major correction:
Public S3 buckets are simply discoverable if you hit a valid URL (e.g. https://my-bucket.s3.amazonaws.com or https://s3.amazonaws.com/my-bucket/)
No need to look up Amazon's IPs or port scan Amazon's servers.
Shashankz - 7 years ago
The headlines to this article is incorrect. It should've been '7% of S3 buckets', and not '7% of S3 servers'.
I am sure that you know there is a big difference between the two - configuring and safeguarding buckets is the responsibility of the bucket owner, but securing the servers behind S3 is Amazon's responsibility.
While 7% of buckets being misconfigured is a stupid thing, 7% of servers being vulnerable is a scary one.
Occasional - 7 years ago
Search on "S3 servers" is bringing up a number of other reports on the 7% story - so, few are making the distinction.
Not AWS user, I could be making false assumptions. I thought S3 servers (in the article), referred to provisioned and owner configured virtual (data file), servers, hosted on either dedicated or shared physical servers.
Amazon makes sure there are no leaks from physical server to physical server, or between virtual servers in a shared configuration. If that's true, S3 bucket owner negligence can only compromise their own virtual server data - but that's still scary; as "their data" isn't just their concern.
petermbenjamin - 7 years ago
Interestingly, I have also demonstrated how easy it is to find publicly accessible S3 buckets with a small utility I wrote: https://github.com/petermbenjamin/s3-fuzzer
And, I have been tracking public s3 bucket exposures: https://github.com/petermbenjamin/YAS3BL.
So, I'm glad that folks like you are trying to push the narrative that companies/organizations/contractors need to get better at basic security in this public cloud era.
I'd like to also note that there are knowledge-bases, like Cloud Conformity, that detail the steps to check if you have publicly accessible S3 buckets: https://www.cloudconformity.com/conformity-rules/S3/s3-bucket-public-full-control-access.html
maethlin - 7 years ago
I'm not sure the 7% figure is meaningful in any way.
What if those 7% want their buckets to be world-readable? Of course, I really doubt that is the case, but it's hard to determine how big a problem 7% is.
Obviously with all these high profile breaches, the problem is widespread enough to be noteworthy and every company should be aware of the perils of unintended access, but the 7% figure itself isn't terribly meaningful to me.
(Also yes, calling them s3 servers drives me bonkers too lol)