tadamichi - Fotolia
AWS moves to curb S3 data leaks, but Chris Vickery is doubtful
Amazon unveils new settings to help users avoid S3 data leaks, but UpGuard's Chris Vickery, who uncovered most AWS exposures, is doubtful the changes will end the problem.
Amazon is trying once again to offer users new settings in an effort to limit the misconfigurations that led to a spate of AWS S3 data leaks, but the security analyst who discovered many of the leaks is doubtful of the impact the settings will have.
The new AWS settings break down into two options for two different scenarios -- disallowing public S3 bucket access and blocking the creation of public S3 buckets via either access control lists (ACLs) or public policies -- with the ability to batch change settings and secure buckets against accidental S3 data leaks.
Jeff Barr, chief evangelist for AWS, said the new settings, called Amazon S3 Block Public Access, should make "it easier for you to protect your buckets and objects."
"This is a new level of protection that works at the account level and also on individual buckets, including those that you create in the future. You have the ability to block existing public access (whether it was specified by an ACL or a policy) and to ensure that public access is not granted to newly created items," Barr wrote in a blog post. "If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure. Our goal is to make clear that public access is to be used for web hosting!"
The problem of AWS exposures came to the forefront in 2017 after Chris Vickery, director of cyber risk research at UpGuard, based in Mountain View, Calif., found publicly accessible S3 buckets from the Department of Defense, Republican National Committee, Verizon, Dow Jones and more.
These changes are the latest effort by Amazon to limit misconfigurations that could lead to S3 data leaks. In November 2017, Amazon made it more obvious which buckets were set to public versus private, made it free to check if any S3 buckets were set to public, and sent emails to owners of public buckets to bring attention to the issue.
Chris Vickerydirector of cyber risk research, UpGuard
But, Vickery said even though these actions led to many public buckets disappearing, "we also saw many more buckets with sensitive information persist, and new ones created since then with sensitive, publicly accessible data."
"Amazon's new security features will likely have the same effect as their previous efforts: They will secure some buckets, but the overall problem will persist at a massive scale. Because as long as it is possible to misconfigure a system, people will do so," Vickery said. "Adding new capabilities that make it easy to configure S3 storage to be private is not the same as removing the possibility of configuring it to be public. As long as S3 buckets can be configured for public access, there will be data exposures through S3 buckets. Addressing this would require fundamental changes to the platform that we have yet to see."