vali_111 - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Users with public AWS S3 bucket policies receive warning

Following a number of data leaks related to improper AWS S3 bucket policies, Amazon has begun sending warning emails to users with public permissions.

Users on Twitter claim to have received emails from Amazon with warnings for those with AWS S3 bucket policies set to be accessible publicly.

Recent research from cybersecurity firm UpGuard has uncovered misconfigured AWS S3 bucket policies for organizations including Dow Jones, the Republican National Committee, the WWE, and contractors for the Department of Defense and Verizon. The user errors left cloud data exposed to potential leakage, and now it appears as though Amazon has begun warning users with their AWS access set to public.

Amazon warned users with publicly accessible S3 buckets and suggested a review of the AWS S3 bucket policies, as well as the contents of the bucket, in order to avoid the exposure of sensitive data, according to a copy of the email shared with SearchSecurity by Uranium328, a penetration tester and freelance security researcher for HackerOne.

"By default, S3 bucket ACLs [access control lists] allow only the account owner to read contents from the bucket; however, these ACLs can be configured to permit world access. While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available," Amazon wrote in the email. "We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don't intend."

The email also pointed users to AWS support documents and noted that users should be careful when using AWS S3 bucket policies set to either All Users or Any Authenticated AWS User, as these "are effectively granting world access to the related content," according to Amazon.

Scott Petry, CEO and co-founder of secure web browsing vendor Authentic8, said it is a great sign that Amazon sent messages.

"Amazon can't prevent customers from hurting themselves, but they certainly can make customers more aware," Petry said. "These recent leaks were eminently preventable, and it's good to see Amazon notifying customers. I imagine we will see [user interface] refinements over time, as well."

Brian Vecci, technical evangelist at threat protection vendor Varonis, said Amazon faced a "tremendous challenge" in determining why public AWS S3 bucket policies might be set.

"Amazon is right to do a PSA of sorts, but the onus remains on users of their system to routinely evaluate their access control choices," Vecci said. "A best practice is to implement scheduled entitlement reviews whereby a data owner -- with the aid of software -- reviews and recertifies access. There are also tools that can use machine learning to bubble up folders or buckets that seem misconfigured."

John Bambenek, threat research manager at Fidelis Cybersecurity, said these emails should mean that "no one really has any excuse to not fix" risky AWS S3 bucket policies.

"I think it's an excellent move by Amazon to get ahead of the problem of insecure S3 buckets," Bambenek said. "The interface, until recently, hasn't been great to figure out what permissions are, and most people operate with a set-and-forget mindset on permissions." 

Amazon did not respond to a request for comment at the time of this post.

Next Steps

Learn tips for defining access controls for cloud content services

Find out five steps to create an AWS S3 bucket policy

Get info on Amazon's adaptable data storage interface

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How often do you review your S3 bucket policies?
Amazon should take ownership of the security for the data stored in its datacenter. Why ?? Success of Amazon Cloud depends upon the customer success. Even though Amazon transfers the security policies, ownership to the client. However, that is not the right thing to do. Customers trust Amazon when it says that customer's data in Amazon is secure. Then it will become Amazon's responsibility to provide data protection for customer. Without that, not many customers will be willing to experiment with Amazon Cloud.
The company behind the platform can't be expected to police clients of the platform to protect them from sloppy architecture/design. Permission configuration is described well enough in the documentation. A cloud engineer, or a team of cloud engineers, with poor understanding and bad review policies have little recourse to complain about issues resulting from their designs. 

Here we find the difference between secure platform/infrastructure and unsecured design to implement the S3 service.