Insecure AWS S3 buckets - an ongoing target 23 Jul 2018

Recently, AusCERT has seen an increase in the number of attacks on unsecured cloud infrastructure. One of the most frequently targeted cloud hosting methods is Amazon's Scalable Storage Solution, commonly referred to as AWS S3.
S3 is used to store static assets for public websites, such as images and javascript, and is also used as a destination for backup solutions, due to its low storage costs. S3 buckets can be accessed via HTTP/HTTPS, as well as an API that is available to other AWS infrastructure. 
However, critically, many buckets have been configured to expose all of their files, as well as a listing of the files in the bucket - a modern equivalent to the open directory listing issue that many misconfigured webservers have suffered from in the past.
Perhaps due to an overload of new practices required when switching to AWS infrastructure, or due to unfamiliarity with the platform, many S3 buckets have been left exposed when they contain sensitive or secret data, such as backups, copies of databases, or private documents. Many of these S3 buckets have been discovered by third parties, which has resulted in some high-profile data breaches. This website maintains a listing of data breaches that were caused by insecure S3 buckets.
Although this issue has been known for a long time, in the last 12 months more tools to enumerate, discover, and even provide public search listings of S3 buckets have become available. This recent trend has prompted AusCERT to begin scanning AWS for S3 buckets that have easily guessable names relating to our members' organisations.
Amazon themselves have noted this issue and have taken measures to assist users and prevent further compromises on their platform. Last year, after a large breach that affected millions of Dow Jones customers, Amazon sent an email to the account administrator of every AWS account that had publicly accessible S3 buckets.
In Amazon's own words, "While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available. We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend."
The official AWS blog contains useful information about securing S3 buckets while still allowing access in a controlled manner. See this article, published in March 2018, for more details.
AusCERT recommends reviewing all of your AWS infrastructure to ensure access controls are appropriate for your uses.
Anthony Vaccaro, Senior Information Security Analyst at AusCERT

« Back to all blog entries