September 27, 2016

Misconfigured Amazon S3 storage buckets exposing private data

amazons3(LiveHacking.Com) – Some recent research has shown that thousands of Amazon customers are configuring their storage services incorrectly leading to potentially sensitive data being exposed on the Internet.  Amazon offers a cloud storage solution called Amazon Simple Storage Services, or S3 for short. This storage can be used to storage almost anything and is often used by businesses for private data like backups, company documents and logs files and for public content like web page graphics and PDF files.

Amazon organizes the S3 storage in local containers called “buckets” which have a predictable URL (http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/) and are either marked as private or public. A bucket public is one where any user can obtain a list of all the files in the bucket. Trying to access a private bucket will result in an access denied error, but accessing a public bucket will list the files in the container.

A tester a Rapid7 has performed some research to try to ascertain how many S3 buckets have been  misconfigured. The initial search for buckets revealed 12,328 buckets in total, of which 1,951 were publicly accessible. That means that 1 in 6 S3 buckets are open. According to the research these buckets contained some 126 billion files! It is unrealistic to test the access rights to so many files, but by testing a sample of 40,000 files Rapdi7 gained access to sales records and account information; affiliate tracking data; employee personal information and member lists across various spreadsheets; and video game source code and development tools for a mobile gaming firm!

The findings underline one of the core principles of computer security. Any security protection which isn’t configured correctly is the same as no security protection! For those using S3 the message is clear, check the permissions. Amazon have some useful information on protecting data stored in Amazon S3.