Researchers (most notably Chris Vickery) have discovered that a common misconfiguration in Amazon Simple Storage Service (Amazon S3) may expose sensitive enterprise data to unauthorized access. They were actively searching for Amazon S3 buckets which were granting access to “Any authenticated AWS users”. These efforts resulted in the exposure of several dozen databases belonging to large financial, healthcare, and technology companies.
Why should you care?
Researchers are still actively looking for additional databases that may be exposed due to this common misconfiguration and it is only a matter of time before they find them. It is prudent for you to immediately assess your own infrastructure for this vulnerability.
Amazon S3 is a simple web service interface that allows organizations to easily store and retrieve data. It is used for backups, application hosting, file server, and media and software delivery. Given its ease of use, Amazon S3 has become an attractive option for organizations to store large amounts of data in it.
Access to Amazon S3 is managed through Access Control Lists (ACL) where customers specify which users are permitted access to the buckets. It is a good security practice to make sure that these ACLs only allow specific authorized internal users to have access to the data in the buckets. But often, Amazon Web Services (AWS) administrators grant access to “Any authenticated AWS users” (see the image below) thinking that this access permission will only allow internal users to access data in the Amazon S3 buckets. This is a common misconception as this permission grants Amazon S3 access to ANY user with valid AWS credentials and exposes sensitive enterprise data to unauthorized external access. With this access permission, a malicious user simply needs to figure out the name of the bucket and/or the files inside the bucket. Once they have this information, they can easily make API calls to the Amazon S3 bucket with their valid user credentials and gain access to highly sensitive enterprise data.
- Make sure that the ACLs for your Amazon S3 buckets are as restrictive as possible, especially those that contain highly sensitive enterprise data. Only a handful of authorized internal users should have access to the buckets.
- Use the “Any authenticated AWS user” permission for a very narrow set of business-to-business use cases where it’s necessary to expose some of the data to any and all AWS customers.
- Due to the dynamic nature of cloud infrastructure, it is often impossible to enforce uniform security policy across the different DevOps teams in your organization. Make sure you have a security tool in place that continuously monitors Amazon S3 buckets and other cloud workloads, sends contextual alerts, and auto-remediates when such security incidents are discovered.
Download a copy of the advisory here.
Advisory Issued: April 5, 2017