Celidor
  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact

Data breaches from S3 buckets

8/9/2018

0 Comments

 
Picture
Over the last few years there have been a large number of data breaches from S3 buckets, for example:
  • Dow Jones, records from 2.2 million users
  • FedEx - 120,000 user records including scanned driver licenses 
  • Security researcher finds 2,000 public S3 buckets thought to be misconfigured
  • Uber - 57 million user and driver records stolen
S3 is the storage service provided by Amazon - but there is nothing intrinsically insecure about S3. AWS provides the ability to configure S3 very securely - but equally it's possible to misconfigure S3 and make buckets or objects public when they should be private. The same applies to storage services from other cloud providers. 

Some of the data breaches were simply due to the S3 bucket being configured as public instead of private. AWS improved the S3 console recently, to clearly warn the user when a bucket or object is being made public. But I know some DevOps engineers who only ever use code and never log in to the console - so they would never see these warnings.

The Dow Jones case I find interesting because the misconfiguration arose from the use of "authenticated users" in the access control list. You might think that means an authenticated user of the same AWS account the S3 bucket resides in. Actually it means any AWS account in the world.

The Uber S3 bucket wasn't misconfigured as such - it appears that an attacker got hold of GitHub credentials, so could access private Git repositories, the attacker then discovered an AWS key which had rights to the S3 bucket.


Effectively protecting an organisation against cloud security incidents such as these requires an in-depth understanding of cloud security architecture, security expertise relating to cloud provider services, combined with a DevSecOps approach to infrastructure code development, testing and deployment.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Paul Schwarzenberger is a Cloud Security Architect and Engineer

    Archives

    April 2025
    March 2025
    October 2024
    September 2024
    August 2024
    July 2024
    May 2024
    March 2024
    October 2023
    September 2023
    February 2023
    January 2023
    December 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    January 2022
    November 2021
    September 2021
    July 2021
    March 2021
    July 2020
    June 2020
    February 2020
    December 2019
    November 2019
    October 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    November 2018
    October 2018
    September 2018
    August 2018

    Categories

    All
    Cloud Security
    DevSecOps

    RSS Feed


Contact us via email at [email protected] 

© 2020 Celidor Limited. All Rights Reserved.

Celidor Limited

Company Number: 08870661


  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact