Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to keep an Amazon S3 bucket from becoming public

A public-facing Amazon S3 bucket caused problems for major organizations, including Booz Allen Hamilton. Expert Rob Shapland explains what happened and how to prevent it.

Leading U.S. defense contractor Booz Allen Hamilton Inc. was recently found to be storing files in a publicly accessible...

Amazon Simple Storage Service (S3) bucket. Although the data stored in the bucket was not classified, it did contain keys and passwords that may have granted access to other storage systems with more sensitive data.

This incident, as well as other recent exposures of Amazon S3 buckets, highlights the risk of using cloud-based storage and not applying the same controls as you would for your own on-premises storage.

An Amazon S3 bucket is designed to be a cloud storage system that enables organizations to store a large number of files. The bucket is assigned to a specific region; in the case of the Booz Allen Hamilton bucket, it was not hosted in the restricted GovCloud region, and was, instead, in a public region.

The security failing was not Amazon's; the bucket would have needed to be configured to make it publicly accessible using Amazon S3 bucket policies, as these instances default to private. This may have been done on purpose to enable collaborative work on the files contained in the bucket.

As more organizations choose to move their data into the cloud, there is more opportunity for mistakes in configuration that lead to accidental data breaches. If a bucket is accidentally or intentionally left accessible to anyone, all the data in that bucket can be compromised if the permissions on those files are also set to public. Even if the data is not classed as sensitive, it is likely that the information can be used to plan further attacks against the company, perhaps by analyzing metadata in the files.

How to mitigate the risks

Ideally, organizations should be using access control lists to restrict the IP address ranges that are able to access the Amazon S3 bucket, since there is usually no need to have the data accessible from anywhere on the internet.

It is possible to define which users or groups have access to the bucket by specifying the user's canonical user ID or by using a predefined group. This ensures that the data in the bucket is not publicly accessible. The granular level of permission for each user or group can also be defined.

A common mistake is to grant access to the Authenticated Users group, thinking that this means any organizational Amazon Web Services (AWS) user. In reality, it means any user in the world with an AWS account, which potentially exposes that data to anyone.

A common mistake is to grant access to the Authenticated Users group, thinking that this means any organizational AWS user. In reality, it means any user in the world with an AWS account, which potentially exposes that data to anyone.

Organizations should check each of their S3 buckets to ensure the permissions are set securely, and should have a predefined policy for all future bucket deployments. As Amazon S3 buckets all have a unique URL to access them, a simple scan of the organization's bucket URLs can reveal if they are publicly accessible.

AWS also gives the option to encrypt the data at rest using the server-side encryption option. This adds a secondary layer of defense that is useful should the data ever be compromised at an infrastructure level.

An Amazon S3 bucket is a safe cloud storage option as long as the permissions are set up correctly. As is the case in many aspects of the cloud, Amazon provides the tools to use the system securely, but it requires the organization to take the same responsibility with its cloud security policies as they do with data stored on premises.

Next Steps

Find out why Amazon S3 buckets are spilling on the web

Learn how to keep your Java apps running during an S3 outage

Read an AWS S3 tutorial written for newbies

This was last published in August 2017

Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about the Booz Allen Hamilton incident with S3 buckets?