Leaky AWS S3 buckets have been spilling confidential information onto the public internet for years, and now anonymous hackers have created a search engine to make finding those exposed secrets even easier.

New on the scene is “BuckHacker.” The name is a portmanteau, stemming from the fact that it allows the hacking of “buckets”, which is the name for containers of data within Amazon Web Services Simple Storage Service (S3). It is a tool designed to allow easy searching of information publicly available in AWS S3. It’s like a Google search just for S3, where according to recent research up to 7% of S3 buckets contain public data.

Although previous tools and techniques have been published for finding accidental S3 exposures, BuckHacker is notable for making the process simple.

Which leads us to our titular question: what are you doing today to keep the confidential data stored in your AWS S3 account private? If you don’t have a firm answer to the question, there’s a good chance you could find yourself in the headlines as another data dump is discovered.

AWS S3 access control configuration is incredibly complex, and accidental public exposure is all too easy to allow. Every change to access control lists (ACL), IAM user policy, or the bucket policy can cause previously private data to become public. We went into deep detail on the complex nature of S3 access control in a previous post on preventing AWS storage breaches.

The perfect storm is created when configuration complexity is met with tools like BuckHacker, which make it easy for even non-technical attackers to find the leaks in your buckets.

What should you be doing about it? At a minimum, you must manually evaluate all of the ACLs and Policies that affect access to your S3 storage (Read more...)