Users on Twitter claim to have received emails from Amazon with warnings for those with AWS S3 bucket policies...
set to be accessible publicly.
Recent research from cybersecurity firm UpGuard has uncovered misconfigured AWS S3 bucket policies for organizations including Dow Jones, the Republican National Committee, the WWE, and contractors for the Department of Defense and Verizon. The user errors left cloud data exposed to potential leakage, and now it appears as though Amazon has begun warning users with their AWS access set to public.
Amazon warned users with publicly accessible S3 buckets and suggested a review of the AWS S3 bucket policies, as well as the contents of the bucket, in order to avoid the exposure of sensitive data, according to a copy of the email shared with SearchSecurity by Uranium328, a penetration tester and freelance security researcher for HackerOne.
"By default, S3 bucket ACLs [access control lists] allow only the account owner to read contents from the bucket; however, these ACLs can be configured to permit world access. While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available," Amazon wrote in the email. "We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don't intend."
The email also pointed users to AWS support documents and noted that users should be careful when using AWS S3 bucket policies set to either All Users or Any Authenticated AWS User, as these "are effectively granting world access to the related content," according to Amazon.
Scott Petry, CEO and co-founder of secure web browsing vendor Authentic8, said it is a great sign that Amazon sent messages.
"Amazon can't prevent customers from hurting themselves, but they certainly can make customers more aware," Petry said. "These recent leaks were eminently preventable, and it's good to see Amazon notifying customers. I imagine we will see [user interface] refinements over time, as well."
Brian Vecci, technical evangelist at threat protection vendor Varonis, said Amazon faced a "tremendous challenge" in determining why public AWS S3 bucket policies might be set.
"Amazon is right to do a PSA of sorts, but the onus remains on users of their system to routinely evaluate their access control choices," Vecci said. "A best practice is to implement scheduled entitlement reviews whereby a data owner -- with the aid of software -- reviews and recertifies access. There are also tools that can use machine learning to bubble up folders or buckets that seem misconfigured."
John Bambenek, threat research manager at Fidelis Cybersecurity, said these emails should mean that "no one really has any excuse to not fix" risky AWS S3 bucket policies.
"I think it's an excellent move by Amazon to get ahead of the problem of insecure S3 buckets," Bambenek said. "The interface, until recently, hasn't been great to figure out what permissions are, and most people operate with a set-and-forget mindset on permissions."
Amazon did not respond to a request for comment at the time of this post.
Learn tips for defining access controls for cloud content services
Find out five steps to create an AWS S3 bucket policy
Get info on Amazon's adaptable data storage interface