tadamichi - Fotolia

Misconfigured Amazon S3 buckets expose sensitive data

Amazon has built more security functions for S3 buckets after cybersecurity firms uncovered a worrisome trend of IT administrators failing to properly secure them.

The cloud has simplified accessing compute and storage resources, making life a lot easier for application developers, IT administrators and company employees. However, when end users fail to properly secure the cloud, it can put data at greater risk.

In the past year, cybersecurity firms have reported on a rash of misconfigured Amazon S3 buckets that have left terabytes of corporate and top-secret military data exposed on the internet. This misconfiguration allows anyone with an Amazon account access to the data simply by guessing the name of the Simple Storage Service (S3) bucket instance.

Storage and cybersecurity experts point to IT administrators and end users as the culprits. Users have the option of protecting each storage block with an access control list (ACL) to keep data private, share it for reading or share it for reading and writing. Experts claim data was left exposed because the ACLs were configured to allow any user with an Amazon Web Services (AWS) account to access the data. The Amazon S3 buckets were not reconfigured to restrict access.

"Maybe that is too much power for the end users," said Chris Vickery, director of cyber-risk research at cybersecurity firm UpGuard, based in Mountain View, Calif. "You really can't put the blame on Amazon. The buckets are secured by default. It's madness by the end user."

In November, UpGuard reported two incidents of sensitive data left exposed in Amazon S3 buckets belonging to the United States Army Intelligence and Security Command (INSCOM), as well as the U.S. Central Command (CENTCOM) and Pacific Command.

Nearly 100 GB of critical data belonging to INSCOM was found in unsecured cloud storage repositories, including information labeled "top secret" and "NOFORN," which means no foreign nationals should be able to view the data. The largest unsecured file found was an Oracle Virtual Appliance that contained a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location. UpGuard found top-secret data was tied to the defunct defense contractor Invertix.

"Also exposed within [the S3 storage] are private keys used for accessing distributed intelligence systems belonging to Invertix," according to an UpGuard report. "Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser.

"Although the UpGuard cyber-risk team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time classified information has been among the exposed data," the report stated.

The CENTCOM data exposure involved a Pentagon contractor who did intelligence work and left an archive of 1.8 million publicly accessible social media posts exposed in Amazon S3 buckets. The military characterized that data breach as "benign," because it was data scraped from around the world identifying persons of interest by the military.

These incidents are part of a series in which high-profile companies left data in Amazon S3 buckets exposed because the ACLs were configured to allow any user with an Amazon account to gain access to the data. The companies caught up in the problem include telco giant Verizon, U.S. government contractor Booz Allen Hamilton, consulting firm Accenture, World Wrestling Entertainment and Dow Jones.

Storage and cybersecurity experts agree this is not Amazon's fault. The AWS S3 buckets are designed with top-level security by default when the storage instances are created. The user has control over what level of access to assign each bucket.

"Have we given too much power to the end user? Yeah, but we also gave them keyboards," said George Crump, founder of Storage Switzerland. "People have to learn. I guess it's like the seat belt law. Enough people have to go through a windshield before they do something about it. Organizations have to monitor cloud assets the same way they monitor their data center assets.

Organizations have to monitor cloud assets the same way they monitor their data center assets.
George Crumpfounder, Storage Switzerland

"There are more than a few tools out there that monitor open buckets," Crump added. "I hate to have Amazon blameless in this, but they are. It would be like blaming the car manufacturer because people are not using their seat belts."

Earlier this month, Amazon added new S3 encryption and security features to help address the data breaches. These features include default encryption that mandates all objects in a bucket must be stored in an encrypted form.

Amazon also added permission checks that display a prominent indicator next to each Amazon S3 bucket that is publicly accessible. Cross-region replication with a Key Management Service enables objects that are encrypted with keys to be replicated, and a detailed inventory report includes the encryption status of each object.

David Monahan, managing director for security and risk management at Enterprise Management Associates in Boulder, Colo., said consumers who are using cloud services need to ask more questions about where their data is being stored and get more details on how it is being protected.

"This is a data-owner issue," he said. "Some owners are relying on the names of the bucket being private. That is insufficient. Others are creating permissions and then not following the rule of least privilege and making the data too open. To them, I say, 'Stop being lazy.' Others may not understand how the system access controls work. They have to learn before putting real data out there."

Dig Deeper on Cloud storage