Over 126 billion files exposed on Amazon's public cloud, as revealed by a security company.
In a recent discovery, security company Rapid7 uncovered thousands of files containing sensitive information, such as sales records, employee personal details, unencrypted passwords, and video game source code, stored in publicly accessible Amazon S3 cloud storage buckets.
The research, which analyzed a cross-section of 40,000 files from these publicly accessible buckets, highlights the dangers of lax security practices when data is stored on the cloud. Rapid7 successfully guessed the URLs of 12,328 buckets on the S3 service by inserting the names of Fortune 500 companies into the standard URL format for S3.
Astonishingly, of the 12,328 buckets guessed, 1,951 were set to 'public', meaning their contents were accessible to anyone who knew or guessed the URL. This discovery underscores the importance of properly configuring access settings for cloud storage services.
Amazon sets the S3 buckets to private by default, but it appears that some companies have inadvertently changed the access settings, potentially exposing their sensitive data to the internet.
To secure Amazon S3 buckets from public access and protect sensitive data, it is recommended to:
- Block all public access using AWS S3 Block Public Access settings, which centrally prevent any bucket or object from being publicly accessible unless explicitly allowed.
- Carefully configure bucket policies and access control lists (ACLs) to follow the principle of least privilege, granting only required permissions to specific AWS IAM roles or users rather than public or overly permissive access.
- Enable bucket versioning to protect against accidental overwrites or deletions.
- Use encryption both at rest and in transit to protect data confidentiality.
- Continuously monitor and audit access using AWS CloudTrail for logging, GuardDuty for threat detection, and AWS Config rules for compliance checking and automatic remediation of misconfigurations like unencrypted or publicly exposed buckets.
- Leverage Amazon Macie or similar services to discover and classify sensitive data such as personally identifiable information (PII) within buckets, helping to identify where additional controls or remediation might be needed.
- Implement automated security controls such as AWS Config rules that can enforce best practices like mandatory encryption and block public writes without manual intervention.
- Set up IAM policies and roles carefully to control who can create, access, or modify buckets and their content, rather than relying on ACLs which are harder to maintain securely.
These steps help prevent accidental public exposure, unauthorized access, and data leaks, ensuring sensitive data in S3 buckets remains protected. Vigilant configuration, encryption, monitoring, and automated compliance enforcement are critical pillars of securing S3 storage.
Rapid7 advises companies to check whether their S3 buckets are set to public and to consider what data is stored in public S3 buckets and whether it should be exposed to the internet. Properly securing cloud storage services is essential to prevent potential misuse of data for malicious purposes or compromise of user accounts, as well as to protect against data breaches and maintain compliance with regulations.
Amazon provides a guide on keeping data stored on the S3 service secure. By following best practices and taking proactive measures to secure their S3 buckets, companies can help ensure the safety and integrity of their sensitive data on the cloud.
Data-and-cloud-computing practices, such as Amazon S3 cloud storage, rely heavily on technology to store and manage sensitive information. However, the Rapid7 research highlights the risks associated with lax security, as many companies inadvertently configure their S3 buckets to 'public', exposing sensitive data like sales records, employee details, and unencrypted passwords to potential threats.
