Following a long string of data leaks caused by misconfigured S3 servers, Amazon has decided to add a visible warning to the AWS backend dashboard panel that will let server admins know if one of their buckets (storage environments) is publicly accessible and exposing potentially sensitive data on the Internet.
The warning takes the form of a bright yellow-orange "pill" button that appears in various places across the AWS (Amazon Web Services) console.
Amazon hopes that server admins notice the warnings and review access rights of affected S3 buckets, hopefully avoiding exposing sensitive details online.
Previous research carried out by experts from Skyhigh Networks found that 7% of all Amazon S3 buckets are publicly accessible.
Over the past few months, security researchers have found a large number of companies that leaked sensitive data this way, via S3 buckets left exposed online. A (most likely incomplete) list of the most notable incidents is included below.
⬨ Top defense contractor Booz Allen Hamilton
leaks 60,000 files, including employee security credentials and passwords to a US government system.
⬨ Verizon partner leaks personal records of over 14 million Verizon customers
, including names, addresses, account details, and for some victims — account PINs.
⬨ An AWS S3 server leaked the personal details of WWE fans
who registered on the company's sites. 3,065,805 users were exposed.
⬨ Another AWS S3 bucket leaked the personal details of over 198 million American voters
. The database contained information from three data mining companies known to be associated with the Republican Party.
⬨ Another S3 database
left exposed only leaked the personal details of job applications
that had Top Secret government clearance.
⬨ Dow Jones
, the parent company of the Wall Street Journal, leaked the personal details of 2.2 million customers.
⬨ Omaha-based voting machine firm Election Systems & Software (ES&S) left a database exposed online that contained the personal records of 1.8 million Chicago voters
⬨ Security researchers discovered a Verizon AWS S3 bucket containing over 100 MB of data about the company's internal system
named Distributed Vision Services (DVS), used for billing operations.
⬨ An auto-tracking company
leaked over a half of a million records with logins/passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships.
⬨ An S3 bucket leaked data of thousands of Australian government and bank employees
Besides S3 buckets left exposed online that allowed anyone to view and download their content, there's also the issue of S3 buckets that allow attackers to write new content and replace files. Servers misconfigured this way expose users to sneaky GhostWriter attacks where attackers can intercept traffic, replace ads, serve malware, and more.
Besides the new warnings regarding publicly accessible buckets, Amazon also added four new other features, including support for encrypting all S3 data by default.