Amazon Battles Leaky S3 Buckets with a New Security Tool

Anyone who has been following security trends in recent years cannot fail to have noticed the preponderance of data breaches which have stemmed from unsecured Amazon S3 buckets.

Many well-known organisations, including FedEx, Capital One bank, Verizon, and even US defense contractors, have left confidential and sensitive data publicly exposed by not having properly configured the security of their cloud-based storage servers.

In fact, the problem became so bad that some security researchers have even been known to leave “friendly warnings” on exposed servers when they came across them, advising their owners to review their settings.


In late 2017, Amazon Web Services (AWS) announced that it was introducing “bright orange pill” warnings onto server administrators’ dashboards warning them if buckets had been configured to be publicly accessible.


That was a positive step, but the continuing revelations of privacy-busting data breaches from unsecured storage servers meant that more still needed to be done.

This week Amazon announced its newest feature – the AWS Identity & Access Management Access Analyzer – that, amongst other things, monitors S3 bucket access policies and provides alerts if you have a cloud-storage bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts.


In short, the new feature is supposed to help avoid accidental misconfigurations that could result in sensitive data being exposed, and subsequently damaging a company’s brand and even – potentially – putting its customers at risk.

If the Access Analyzer tool discovers that a bucket is misconfigured you can respond to the alert by making a single click to “Block All Public Access,” and then use the tool’s report to understand the nature of the problem so you can fully address it.

Of course, it’s perfectly possible that there is data on your AWS cloud servers which is supposed to be shared on the general internet (webpages, for instance), and these can be marked as intentionally public to avoid repeat warnings.

Aside from Amazon S3 buckets, IAM Access Analyzer can also analyse the permissions granted using policies for your AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions.

As ever with security, you would be wise to follow the principle of least privilege, granting only the permissions required to perform a particular task and no more.

To enable the feature, administrators should visit their IAM console and enable the AWS Identity and Access Management (IAM) Access Analyzer. It will then appear in the S3 Management Console.

It’s clearly a good thing that Amazon has developed an additional tool to help protect companies from leaking data through servers they have configured poorly.  But an alert is only half the battle – we still need companies to understand the severity of the issue and tackle it promptly when it is brought to their attention.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Graham Cluley. Read the original post at: