Report Reveals AWS S3 Buckets are Poorly Protected

Research from Lightspin indicates that AWS S3 Buckets are not as secure as many users may think. Lightspin, which specializes in cloud security services, inspected more than 40,000 Amazon S3 buckets and found that improperly configured AWS permissions exposed, on average, 42% of an organization’s AWS S3 buckets.

While misconfigured permissions are not a new phenomena for most organizations, the particular permission in question, “objects can be public,” creates a pathway for hackers to write to S3 buckets they do not have actual rights to access. Misconfigured S3 buckets have been the root cause of numerous high-profile attacks, such as Verizon’s recent exposure of more than 6 million customer accounts. 

Simply put, hackers are able to use standard tools like AWS Cloudtail and config to access S3 buckets held by other account users, even if those S3 buckets are not public. Although misconfiguration is the primary element that exposes those accounts, it is further exacerbated by how access control lists (ACLs) are managed by default for AWS S3 buckets and the objects contained within.

A simple policy misconfiguration, such as granting access from any account to an object even if the S3 bucket is marked private, creates a pathway for cross-account attacks, where attackers can write to objects and linger undetected for extended periods.

“Cross-account attacks on AWS services are difficult to detect and can remain undetected for a long time,” said Colby Winegar, co-founder of CrowdStorage, which offers S3-compatible storage solutions. “Defining policies and ACLs can be a complicated process with Amazon services, creating the opportunity for users to just go with default settings to expedite provisioning, and then simply forget to audit settings later on.” 

However, the primary problem rests with how ACLs and policies are managed, along with a lack of visibility into both buckets and object configurations. “AWS doesn’t provide the ability to drill down from a bucket to see the status of all the objects it contains,” said Vladi Sandler, CEO of Lightspin. “In order to be sure that objects are ‘safe,’ it’s necessary to go through each object’s ACL to check if it is open to the public.”

Sandler pointed out the need to audit accounts, ACLs, policies and so forth. These chores are part of cybersecurity due diligence, but they are not fully supported by the tools bundled with Amazon’s services. “The ability to drill down into individual ACLs for objects is critical when securing those objects,” said Winegar. “Otherwise, you will not have an understanding of who can do what with the buckets, as well as the objects contained within.”

For cybersecurity professionals, standard best practices include penetration testing, as well as scanning infrastructure for attack vectors. Yet, those best practices become increasingly difficult when cloud services come into the picture. The ability to understand the context of ACLs is quickly becoming the cornerstone of security practices, such as zero-trust. Meaning, context-aware scanning must be brought to cloud environments. “We recognize that organizations need better context, so we have developed an open source scanner that provides exactly this—the visibility and the context to know exactly what objects are publicly accessible, at a glance,” added Sandler.

Lightspin’s discovery may very well be just the tip of the iceberg; the company focused only on AWS Cloudtrail and Config in their initial research. That narrow focus could indicate that other AWS Services that use S3 buckets may be at risk from misconfiguration attack paths, and may even provide read permissions.

Avatar photo

Frank Ohlhorst

Frank is an award-winning technology journalist and IT industry analyst, with extensive experience as a business consultant, editor, author, and blogger. Frank works with both technology startups and established technology ventures, helping them to build channel programs, launch products, validate product quality, create marketing materials, author case studies, eBooks and white papers.

frank-ohlhorst has 40 posts and counting.See all posts by frank-ohlhorst