vali_111 - Fotolia

Users with public AWS S3 bucket policies receive warning

Following a number of data leaks related to improper AWS S3 bucket policies, Amazon has begun sending warning emails to users with public permissions.

Users on Twitter claim to have received emails from Amazon with warnings for those with AWS S3 bucket policies set to be accessible publicly.

Recent research from cybersecurity firm UpGuard has uncovered misconfigured AWS S3 bucket policies for organizations including Dow Jones, the Republican National Committee, the WWE, and contractors for the Department of Defense and Verizon. The user errors left cloud data exposed to potential leakage, and now it appears as though Amazon has begun warning users with their AWS access set to public.

Amazon warned users with publicly accessible S3 buckets and suggested a review of the AWS S3 bucket policies, as well as the contents of the bucket, in order to avoid the exposure of sensitive data, according to a copy of the email shared with SearchSecurity by Uranium328, a penetration tester and freelance security researcher for HackerOne.

"By default, S3 bucket ACLs [access control lists] allow only the account owner to read contents from the bucket; however, these ACLs can be configured to permit world access. While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available," Amazon wrote in the email. "We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don't intend."

The email also pointed users to AWS support documents and noted that users should be careful when using AWS S3 bucket policies set to either All Users or Any Authenticated AWS User, as these "are effectively granting world access to the related content," according to Amazon.

Scott Petry, CEO and co-founder of secure web browsing vendor Authentic8, said it is a great sign that Amazon sent messages.

"Amazon can't prevent customers from hurting themselves, but they certainly can make customers more aware," Petry said. "These recent leaks were eminently preventable, and it's good to see Amazon notifying customers. I imagine we will see [user interface] refinements over time, as well."

Brian Vecci, technical evangelist at threat protection vendor Varonis, said Amazon faced a "tremendous challenge" in determining why public AWS S3 bucket policies might be set.

"Amazon is right to do a PSA of sorts, but the onus remains on users of their system to routinely evaluate their access control choices," Vecci said. "A best practice is to implement scheduled entitlement reviews whereby a data owner -- with the aid of software -- reviews and recertifies access. There are also tools that can use machine learning to bubble up folders or buckets that seem misconfigured."

John Bambenek, threat research manager at Fidelis Cybersecurity, said these emails should mean that "no one really has any excuse to not fix" risky AWS S3 bucket policies.

"I think it's an excellent move by Amazon to get ahead of the problem of insecure S3 buckets," Bambenek said. "The interface, until recently, hasn't been great to figure out what permissions are, and most people operate with a set-and-forget mindset on permissions." 

Amazon did not respond to a request for comment at the time of this post.

Next Steps

Learn tips for defining access controls for cloud content services

Find out five steps to create an AWS S3 bucket policy

Get info on Amazon's adaptable data storage interface

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices