The RedLock security research team discovered a common misconfiguration in Amazon Relational Database Service (RDS) and Amazon Elastic Block Store (EBS) where snapshots have inadvertently been granted “public” access. This potentially exposes sensitive enterprise data to unauthorized users. To assess the impact of the misconfiguration, the team searched for publicly exposed Amazon RDS and EBS snapshots.
The search efforts resulted in the discovery of several thousand data volumes belonging to large financial, healthcare, telecommunication and technology companies. The databases contained sensitive information such as Protected Health Information (PHI) and Personally Identifiable Information (PII). Examples of our findings:
- Over 300,000 customer emails and encrypted passwords that belong to a Fortune 50 enterprise.
- 500,000 customer and employee records belonging to a healthcare supply chain management vendor whose clients include most major healthcare providers.
To be clear, this issue is not due to a vulnerability in the Amazon Web Services (AWS) platform, but rather with how the organizations have configured their environment.
Why should you care?
Any user with valid AWS credentials can easily find and access unencrypted data volumes that have been publicly shared and subsequently gain access to all the information stored within these backups. Customers are advised to immediately assess their infrastructure for this vulnerability and take appropriate actions to fix the configuration error.
Amazon RDS Background
AWS RDS makes it easy to set up, operate, and scale a relational database such as PostgreSQL, MySQL, Oracle, or Microsoft SQL Server in the cloud. Using the Amazon RDS console, a user can share a manual DB snapshot or DB cluster snapshot with up to 20 AWS accounts, or publicly with anyone (refer to Figure 1 below).
Figure 1: Share RDS snapshots publicly using the RDS console
There can be a couple of different reasons that developers setup broad sharing permissions:
- Developers believe that this access permission will only allow internal users within their organization to access these snapshots. This is a common misconception as this permission grants ANY user with valid AWS credentials access to the snapshot as illustrated in Figure 2 below.
- Rather than defining fine grained permissions, it is easier and faster to share broadly.
Figure 2: Over 86 publicly shared RDS snapshots
An unauthorized AWS user can easily find these snapshots and restore them to their own RDS instance within their account. Next, they simply reset the password for the database to gain access to highly confidential enterprise data.
Amazon EBS Background
An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance. A user can share an unencrypted snapshots with co-workers or any AWS user by modifying the permissions of the snapshot (refer to Figure 3 below).
Figure 3: Share ELB snapshots publicly using the EC2 console
Many developers believe that this access permission will only allow internal users within their organization to access these snapshots. This is a common misconception as this permission grants ANY user with valid AWS credentials access to the snapshot as illustrated in Figure 4 below.
Figure 4: 7,400 publicly shared EBS snapshots can be found in the AWS Oregon region alone
- Ensure your developers understand the implications of publicly sharing RDS snapshots or EBS volumes.
- Due to the volume of cloud workloads and their ephemeral nature, it is often impossible to manually audit your entire public cloud infrastructure footprint for continuous compliance with security best practices. Make sure you have a security solution in place that continuously monitors cloud workloads such as RDS snapshots and EBS volumes, triggers contextual alerts upon detecting policy violations, and instantly auto-remediates when incidents occur.
Download a copy of the advisory here.
Advisory Issued: April 13, 2017