During the past year, there has been a surge in data breach reporting regarding Amazon S3 servers left accessible online, and which were exposing private information from all sorts of companies and their customers.
In almost all cases, the reason was that companies, through their staff, left Amazon S3 "buckets" configured to allow "public" access. This means that anyone with a link to the S3 server could access, view, or download its content.
The problem is that most companies believe that if they're the only ones knowing the database's URL, they are safe. This is not true. Attackers can obtain these URLs using MitM attacks on corporate networks, accidental employee leaks, or by brute-forcing domains for hidden URLs.
While this sounds complicated, there are open-source available on GitHub that simplify the discovery of public S3 buckets, putting a large number of companies at risk.
According to statistics by security firm Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted, meaning this is an endemic problem of the entire Amazon S3 ecosystem.
These lapses in security best practices have resulted in some serious breaches, from army contractors to big-time US ISPs.
Below is a (most likely incomplete) list of all the major data leaks caused by companies leaving Amazon S3 buckets configured with public access during the past few months.
Companies that want to avoid situations like the above should review the following Amazon documentation pages and make sure they fully understand their server's permissions level:
In addition, Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro, also has a simple guide on how to secure an Amazon S3 buckets.