Here’s One of Amazon’s Biggest Weak Spots

According to Paolo Passeri, Cyber Intelligence Principa at Netskope, Amazon Web Services’ (AWS) S3 ‘buckets’ are one of the most common crime scenes for unsecured data in the cloud. Below Paolo explains for CEO Today why this could be one of the firm’s biggest weaknesses.

A bucket is a storage resource in AWS’s S3 storage service, storing both data files and their respective descriptive metadata. The problem is that too often they are left with misconfigured access permissions, exposing the data to public access.

The data concerned is, as you can imagine, wide ranging. One recent incident made headlines because the software company concerned had exposed sensitive data from multiple marijuana dispensaries around the US, as well as information on customers of the drug.  The leaked data included scanned government and employee IDs, exposing personally identifiable information (PII) for over 30,000 individuals. The unsecured Amazon S3 bucket was first discovered on Christmas Eve and wasn’t closed until 14th January.

The same researchers that discovered the marijuana leak also unearthed an unsecured AWS bucket owned by an unknown UK company. The data involved included highly sensitive files from several British consulting firms, with detailed information on 1,000s of British professionals. Data included passport scans, tax documentation, job applications with background checks and criminal records, and proofs of address. In this instance, the hackers struggled to identify and contact the owner of the AWS bucket and ended up having to report the leak to AWS directly, as well as to the UK’s Computer Emergency Response Team (CERT-UK), the organisation responsible for monitoring and handling data security in the UK.

A bucket is a storage resource in AWS’s S3 storage service, storing both data files and their respective descriptive metadata. The problem is that too often they are left with misconfigured access permissions, exposing the data to public access.

A much faster response came from a UK advertising production company, which acted very quickly to secure an AWS S3 bucket containing a vast array of production files from its work with high profile customers including Unilever’s Dove brand. Upon being alerted to the issue, the company closed public access to the bucket, however it is thought that the data had been open access since 2018.  This leak included over 1,500 files containing sensitive data including bank details and passport scans of (among others) participants in Dove’s ‘Real Strength’ mens campaign – more exposure than they expected when they signed up to show their armpits to the world.

It is yet to be seen whether any of these discoveries will result in GDPR fines, but from the frequency of these issues you can start to feel sympathy for the information commissioners responsible for adjudicating on each breach.

Unsecured buckets are catching out organisations that really ought to know better. Adult sites and contractors to the justice system are not immune to the error of leaving AWS buckets unsecured, exposing adult imagery, ID, witness and victim statements.

The examples are endless, so what is it that causes this apparently simple issue of organisations leaving files open to the public?

The fourth Cloud Security Alliance Top Threats report (2019) shows that cybersecurity professionals are not blind to the problem. 241 industry experts place data breaches, misconfiguration of cloud infrastructure and a lack of cloud security architecture and strategy as the top three risks in cloud usage. However too many organisations still do not fully understand the “shared responsibility” model and its implications. Shared responsibility establishes where the responsibility of the cloud service provider ends (security “of” the cloud), and where the responsibility of the customer begins (security “in” the cloud). A tiny preposition makes a huge difference!

New research from the Ponemon Institute has revealed that only 32% of organisations believe that protecting data in the cloud is their own responsibility. In many instances, this shared responsibility is further ‘clouded’ by the complexity of the supply chain, as we saw in the examples above. It is often the third party – rather than the data owners – that should have been enforcing all the necessary measures to secure the data “in” the cloud. Too often, there is a chain of implicit trust, misplaced with devastating consequences. These breaches become additional confirmation that the security of the supply chain should be a core element of a security strategy, and the cloud security strategy is no exception here.

Open, publicly viewable S3 buckets are not a flaw of AWS, they are the result of an error by the owner of the bucket.  Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private so user education plays an important role in surmounting cloud security issues. But there are also multiple tools that can automate the policing of cloud use, and help educate users as they go. These tools are generally pretty straightforward and make use of predefined rules to lock down data in the cloud.  The solution on unsecured AWS buckets really is more straightforward than the initial problem appears.

Despite the speed at which organisations are now moving to the cloud, security mindsets and strategies (in a nutshell, the concept of perimeter) are still on-premise. In the past we used to implore people not to leave post-it notes on their monitors that would make a password visible to all their office colleagues. My sixth sense tells me that issue hasn’t gone away, but it now pales in comparison to the exposure of whole data sets left in publicly accessible cloud buckets, unprotected from any passer-by on the internet.