We’ve read plenty of stories recently about the accidental exposure of data stored in the cloud because of users’ poor configuration choices.
Cybersecurity researchers have been actively scanning Amazon Web Services (AWS) for accounts and files available to the public; when sensitive information was encountered, the company was advised.
Three recent instances included data exposures affecting huge numbers of customers:
- Dow Jones: More than two million customers.
- Verizon: 14 million customers.
- Republican National Committee: Vendor Deep Root exposed data on almost 200 million US voters.
Help is available.
AWS partners share their security expertise on how to secure data. And Amazon laid out in the AWS S3 FAQ how to access controls and encryption.
Unfortunately, folks often don’t have time to look beyond their own work, and miss some basics on securing their buckets.
When security vendor Threat Stack conducted a survey of 200 AWS users in early 2017, we weren’t surprised at their findings: 73% left SSH open to the public and 62% weren’t using two-factor authentication to secure access to their data.
AWS took a proactive step by scanning their customers’ AWS S3 buckets and sending warnings to individuals whose data was publicly available.
According to SearchCloudSecurity, who sighted a copy of the email, AWS reminded users:
“By default, S3 bucket ACLs [access control lists] allow only the account owner to read contents from the bucket; however, these ACLs can be configured to permit world access.
While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.
We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend.”
The email then provided a link to the AWS S3 FAQ page for Managing Access with ACLs.
By all means use AWS or any other cloud service, but make sure you are sharing your data as you intended. And if you don’t know how to configure your buckets securely, head to the Amazon partner network for advice.