AWS introduces a new feature targeted at preventing accidental leaks of S3 data


AWS introduces a new feature targeted at preventing accidental leaks of S3 data

The web services division at Amazon has introduced a new AWS security feature to prevent any accidental exposure of data occasioned by S3 data storage buckets misconfiguration.

From now henceforth, people with AWS accounts will now be able to access four brand new options through their S3 dashboards under “Public access settings for this account”.

With these new options, an account owner can now set default access setting on all the account’s S3 buckets. In addition, these new settings automatically override all existing or new bucket-level ACLS and procedures.

Henceforth, account owners will be able to apply these settings for any S3 buckets created, and the new settings can be applied either retroactively or both.

According to the Chief Evangelist of Amazon’s Web Services Jeff Barr, these new settings are to serve as master switch to prevent account owners, their employees or developers from mistakenly opening their data ands3 buckets to the public view through misconfiguration or coding errors at bucket/app levels.

In the last couple of years, quite a lot of AWS customers have suffered from these misconfiguring accidents, including some black eye for the AWS itself. A lot of cyber-security experts are of the opinion that Amazon has not done enough to warn these AWS users on the dangers of leaving an S3 bucket exposed or providing enough controls to prevent these occurrences.

We cannot overemphasize the importance of employee choice in modern IT strategy. Organizations can now enhance flexibility and boost productivity and job satisfaction by letting customers pick the device that best suits their needs.

Amazon did something about it in November, when it introduced a feature that displayed bright orange signals on AWS dashboards, right next to all the S3 buckets that permits public access.

Today’s updates are targeted at addressing some of the issues the company has been criticized for recently, and they’re designed to provide the settings required  to  prevent any form of misconfiguration from exposing these buckets, instead of just waiting until it happens to inform account owners.

To show you just how problematic all these accidental S3  bucket leaks can be and to put a little perspective on things, here is an incomplete list containing data breaches and leaks caused by any app or company that ran misconfigured S3 bucket allowing anybody apart from the server owner to assess its content.

  • Thousands of records of FedEx customers were exposed by an unsecured S3 server
  • GoDaddy’s  business secrets were exposed by an AWS S3 error
  • Accenture exposed a trove of sensitive data that includes “keys to the kngdom”.
  • About 14 million Verizon customer records, including their account PINs and phone numbers, were exposed through an S3 bucket.
  • They also found a Verizon AWS S3 bucket with more than 100 MB worth of data on the internal billing system of the company, exposed online.
  • An S3 database left the leaked personal job application details with top government clearance exposed.
  • An S3 server left the details of about 198 million voters in America, exposed.
  • The data of some US citizens were leaked by the National  Credit Foundation through some unsecured AWS bucket
  • Arik Air, a Nigerian airline, also leaked their customer data through an unsecured S3 bucket.
  • About 73GB of data and some secret keys and plain text passwords was exposed by Pocket iNet ISP.
  • At Alteryx, an S3 leak left about 123 million American homes exposed to spam and fraud.
  • An insurance startup known as AgentRun, also leaked some sensitive customer health information through another misconfigured Amazon S3 bucket.
  • Donald Trump’s campaign site, leaked some intern’s resume through an S3 bucket
  • SpyFone, a spyware firm, also left recordings and customer data exposed online through an S3 server.
  • A top level DOD contractor, Booz Allen Hamilton, leaked about 60,000 files that included employee security passwords and credentials to one US government system.
  • The personal details of more than 3 million WWE fans that registered on their site were leaked by an AWS S3 server.
  • An auto-tracking company also leaked more than half a million details of car owners.
  • Election Systems & Software (ES&S), a voting machine firm, left an S3 bucket containing personal records of about 1.8 million voters in Chicago exposed online.
  • Dow Jones also leaked 2.2 million customer’s personal details.
  • Thousands of Australian bank employees and government data was leaked by an S3 bucket.
  • Keeper, password manager also left an S3 server exposed.

A research published a year ago, reveals that Skyhigh Networks (now McAfee), discovered that about 7% of AWS S3 buckets have been publicly exposed.

Amazon also had major announcement for DynamoDB, another high-load database engine that is part of AWS suite. According to Amazon, from today henceforth, every data stored within DynamoDBs shall be automatically encrypted by default.

Amazon stated in a press release that, “You do not have to make any code or application modifications to encrypt your data. DynamoDB handles the encryption and decryption of your data transparently and continues to deliver the same single-digit millisecond latency that you have come to expect.”