The Consequences of an Amazon S3 Bucket Misconfiguration
Earlier this year, a Swedish-based security company named Securitas made headlines after a misconfigured AWS S3 bucket accidentally exposed 1.5 million files (3TB) to the public.
The exposed files dated back to 2018 and included ID cards from at least four different airports in South America, as well as data from Securitas employees and other private companies.
SafetyDetectives had originally discovered the misconfiguration. The popular antivirus review site reported that at least one airport in Peru and three airports in Colombia were impacted by the leak. Among the stolen credentials were personally identifying information (PII) such as names, photos, occupations, and national ID numbers.
The breach included photos of critical airport operations including fuel lines and luggage loading and unloading. Even worse was that the EXIF photo data from the leaked phones included GPS coordinates, as well as time and date stamps. Securitas eventually locked down the exposed bucket, but the damage had already been done.
Amazon Web Services Simple Scalable Storage (AWS S3) is a leading cloud service for storing large amounts of data. AWS S3 creates containers called buckets for storing data. Each file and its metadata in the bucket are referred to as “objects” and can be accessed programmatically or through a web interface.
AWS S3 is also a prime target for hackers looking to exfiltrate critical data. Sixteen percent of all cloud-based data breaches come from misconfigurations, such as what happened to the Stockholm-based security firm as the latest example.
Misconfigured S3 buckets are very preventable. Here are five tips to keep your S3 buckets secure and prevent any potential breaches.
1. Keep Buckets Private
First, let’s start with the obvious. AWS S3 buckets are closed off from the public by default, but accidents do happen. Make searching for mistakenly exposed and misconfigured S3 buckets a regular part of your monitoring process. You can either head over to your AWS Management Console or use third party tools to monitor your AWS security configuration. Permissions can be granted to users, groups, or roles with their own set of unique credentials to access specific buckets.
Avoid storing any secrets in Git repositories or any other open-source collaboration platforms. GitHub was hit earlier this year with an attack that exposed 100,000 NPM of OAuth user credentials and was able to gain access to the registry’s infrastructure.
2. Monitor Your Buckets
Logging is another critical component when securing any type of cloud environment, whether an S3 bucket or EC2 instance types. A good logging set up can help spot any unusual behavior and ensure that company data is secure. Server access logging is also important as it can show in detail any requests made to a bucket. Bucket logging and monitoring is a highly recommended security practice in maintaining data privacy compliance standards such as GDPR.
3. Encrypt All Data
Amazon supports encryption for your data on S3, but this feature is not enabled by default. You can choose between server-side encryption (SSE) where data is encrypted in the cloud or client-side encryption (CSE) where data is encrypted on user devices before hitting the cloud. Also, be sure to enforce TLS/SSL connections so that data is protected in transit.
S3 buckets that use SSE can also encrypt data automatically; however, that only applies to new data after the feature is turned on. Any data that already exists in the bucket must be encrypted manually. Encryption also protects against unauthorized access which accounted for 43% of all global breaches.
4. Define Policies
Policies in S3 can relate to resources such as objects or actions a user might take for each resource. Bucket policies can allow Reads, Writes, and to Deny Actions by Unidentified Principals. Then there are IAM policies which can be identity-based, resource-based, or Service control policies (SCPs). Identity-based policies leverage the Zero Trust principle of least privileged access to keep the network secured. You should also remove any inactive users or roles.
5. Secure AWS Environments Based on the Zero Trust Principle
One sure-fire way to protect your S3 buckets and all other AWS cloud environments is by deploying Zero Trust Network Access. ZTNA helps ensure that threat actors are unable to access your data due to policy enforcement and network segmentation.
Perimeter 81’s ZTNA solution easily integrates with your existing AWS cloud environments. Users can only access resources once they have been granted specific permission sets and have been properly verified using Multi-factor authorization (MFA) for added security layers of protection. Keep all of your S3 buckets secured with ZTNA. The smallest bucket misconfiguration can lead to an enormous breach as we saw with Securitas. Don’t take that risk. Get ZTNA secured today.