Manage Learn to apply best practices and optimize your operations.

Amazon S3 security: Exploiting misconfigurations

A tool uses standard wordlists to expose vulnerabilities in Amazon S3 implementations.

Cloud services are starting to attract more attention from both security professionals and criminal organizations...

as more proprietary data moves in this direction. The configuration of these cloud-based services can be just as complex as internal systems and could inadvertently expose private information to everyone on the Internet. Tools are being developed to exploit misconfigured cloud services, just as they were developed to exploit Windows XP and Oracle systems in the past. Companies moving resources to a cloud-based infrastructure should become familiar with these tools and use them to verify their configurations are sound.

In this tip, we’ll examine how one tool can be used to exploit Amazon S3 misconfigurations and what companies should to do to ensure Amazon S3 security and avoid inadvertent data exposure.

Amazon Simple Storage Service (S3) is probably one of the most popular cloud services in use today;  it’s used by major websites, corporations, governments and even private individuals.  Amazon S3 is popular because it’s easy to link into existing applications, as all storage is presented through standard Web (HTTP) calls.  A website could easily reference the Amazon S3 storage to pull over images or code to save on bandwidth and storage costs, for example.  Each Amazon S3 instance is referred to as a bucket.  There is a configuration option of marking each bucket as either public or private depending on usage.  Each Amazon S3 customer is also required to have an account name that is unique across all of the S3 buckets around the world.  This allows customers to easily access their specific bucket with a custom URL, such as

A security researcher, DijiNinja, had an epiphany when considering how Amazon S3 storage functioned:  If each URL was customized with a unique account name, it would be possible to use existing brute force techniques to enumerate the Amazon S3 buckets and possibly access the files.  The researcher developed a tool  to test this theory  using standard wordlists and running them against the Amazon S3 API.  The tool can also test whether the Amazon S3 storage bucket has been properly configured for public or private access.

Running this tool with a simple wordlist produces enlightening results that demonstrate both an Amazon S3 oversight and the importance of proper customer configuration. The tool runs through the wordlist by testing access to bucket URLs in succession in this format:  Using a wordlist of only 2,700 words, a scan revealed the existence of roughly 15,000 files contained in  Amazon buckets, both public and private.

Most surprising, even files that exist in buckets and that are marked as private are still listed by name even though they cannot be accessed.  Customers may not realize that the names of their files contained in these private buckets are available to anyone with a Web browser and the proper URL to their bucket.  Anyone using this serviceshould, at a minimum, consider a generic naming convention to obfuscate the contents of the bucket from public access.

Our test produced another surprising result: A large amount of publicly accessible buckets.  Customers may not have configured the storage properly for public/private access and inadvertently exposed private data to the Internet.  There were a large number of pictures stored in the Amazon S3 storage buckets and many are personal in nature, i.e,  pictures of children, vacations and special events..  However, there were also customer invoices and sensitive documents containing Social Security numbers and other private data that probably was not meant to be shared.  Amazon S3 customers should create controls to maintain and monitor the permissions set on storage buckets to avoid the risk of an inadvertent breach of confidential data. 

This is just one example of an early generation of tools designed to enumerate the potential misconfigurations and security vulnerabilities of cloud services.  It represents the first drops of rain in a coming storm of cloud services security exploitation attacks.  Attackers will use these tools to identify targets of opportunity as more data is hosted on cloud platforms, such as the Amazon S3 storage service.  Security professionals that institute policies and procedures for the proper configuration and monitoring of cloud services will be better able to protect against these opportunistic attacks and allow companies to fully realize the promise of cloud services.  

About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services.  He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.

Dig Deeper on Cloud Computing Infrastructure as a Service (IaaS) Security