Leading U.S. defense contractor Booz Allen Hamilton Inc. was recently found to be storing files in a publicly accessible...
Amazon Simple Storage Service (S3) bucket. Although the data stored in the bucket was not classified, it did contain keys and passwords that may have granted access to other storage systems with more sensitive data.
This incident, as well as other recent exposures of Amazon S3 buckets, highlights the risk of using cloud-based storage and not applying the same controls as you would for your own on-premises storage.
An Amazon S3 bucket is designed to be a cloud storage system that enables organizations to store a large number of files. The bucket is assigned to a specific region; in the case of the Booz Allen Hamilton bucket, it was not hosted in the restricted GovCloud region, and was, instead, in a public region.
The security failing was not Amazon's; the bucket would have needed to be configured to make it publicly accessible using Amazon S3 bucket policies, as these instances default to private. This may have been done on purpose to enable collaborative work on the files contained in the bucket.
As more organizations choose to move their data into the cloud, there is more opportunity for mistakes in configuration that lead to accidental data breaches. If a bucket is accidentally or intentionally left accessible to anyone, all the data in that bucket can be compromised if the permissions on those files are also set to public. Even if the data is not classed as sensitive, it is likely that the information can be used to plan further attacks against the company, perhaps by analyzing metadata in the files.
How to mitigate the risks
Ideally, organizations should be using access control lists to restrict the IP address ranges that are able to access the Amazon S3 bucket, since there is usually no need to have the data accessible from anywhere on the internet.
It is possible to define which users or groups have access to the bucket by specifying the user's canonical user ID or by using a predefined group. This ensures that the data in the bucket is not publicly accessible. The granular level of permission for each user or group can also be defined.
A common mistake is to grant access to the Authenticated Users group, thinking that this means any organizational Amazon Web Services (AWS) user. In reality, it means any user in the world with an AWS account, which potentially exposes that data to anyone.
Organizations should check each of their S3 buckets to ensure the permissions are set securely, and should have a predefined policy for all future bucket deployments. As Amazon S3 buckets all have a unique URL to access them, a simple scan of the organization's bucket URLs can reveal if they are publicly accessible.
AWS also gives the option to encrypt the data at rest using the server-side encryption option. This adds a secondary layer of defense that is useful should the data ever be compromised at an infrastructure level.
An Amazon S3 bucket is a safe cloud storage option as long as the permissions are set up correctly. As is the case in many aspects of the cloud, Amazon provides the tools to use the system securely, but it requires the organization to take the same responsibility with its cloud security policies as they do with data stored on premises.
Find out why Amazon S3 buckets are spilling on the web
Learn how to keep your Java apps running during an S3 outage
Read an AWS S3 tutorial written for newbies