Amazon’s Simple Storage Service (S3) cloud storage tool consistently made headlines in 2017 and 2018 thanks to many notable companies like Uber, Accenture and the United States Department of Defense accidentally exposing sensitive data in S3 buckets. But the silver lining to this cloud is that the deluge of breaches caused Amazon to modify certain S3 bucket management and configuration options, making them significantly more secure in 2019. WatchGuard Sr. Security Researcher Marc Laliberte wrote a guest article for Help Net Security explaining what was wrong with S3 buckets in the first place and how Amazon improved them.
In general, the issue with S3 buckets was that it was easy for users to make mistakes during configuration and accidentally leave buckets with sensitive data open to the public. This is a result of user error, not any vulnerability with Amazon’s software. But the structure of S3 buckets contributed to these errors because they made it difficult for users to track what data was secured and what was exposed. Here’s an excerpt from Marc’s article with more details.
While Amazon still blocks all public S3 access by default, users may occasionally need to temporarily allow public access to some bit of data. To facilitate this, an administrator might update their access control list to allow read access to the data with the intention of removing that rule later. Unfortunately, data access requirements change, and people are forgetful, which means there is a chance that rule might stick around for longer than intended, leaving the data accessible when it shouldn’t be. It’s also possible for nested directories – each with their own individual permissions – to add further complexity to S3 bucket access and security. Eventually, you might lose track of the fact that a subdirectory of a subdirectory that is storing sensitive logs is actually publicly accessible.
Over the last two and a half years, Amazon implemented many small changes like flagging public buckets with a bright orange notification in its UI or creating an option to block public access to all S3 buckets in an account with a single button. These were not technical security improvements; they were UI changes and new management tools that made it clearer to users when buckets were being made public and gave them easier options for revoking that access. It’s a good reminder that people and their decision-making are an intrinsic part of security!