How to protect AWS S3 buckets

The cloud is a wonderful thing for CIOs — as long as its resources are used in ways that follow the enterprise’s security protocols. When administrators make configuration mistakes they can be serious.

That’s what some organizations have recently found when staff using Amazon Simple Services (AWS S3) storage buckets failed to properly secure the containers and allowed external access to the data. One of the victims was Verizon Communications. Thanks to a misconfigured repository created by an Israeli partner, subscriber information on at least 6 million U.S.-based Verizon customers was potentially publicly available. A researcher discovered the hole and disclosed it to Verizon, which believes none of the data was actually stolen.

But the incident does show how sensitive configuring S3 stores is. Detectify Labs, which offers an automated Web site vulnerability checking service, has created a tutorial on what admins should do. It calls S3 “a Dropbox for IT and tech teams,” and as any infosec pro knows temporary cloud storage like Dropbox can be a security nightmare.

To start at the beginning, Detectify points out that the S3 bucket name is not a secret, and there are many ways to figure it out. Once an attacker knows it, there are multiple misconfigurations that can be used to either access or modify information. By using the AWS Command Line to talk to Amazon’s API, the attacker can get access to list and read files in S3 bucket, write/upload files to S3 bucket or change access rights to all objects and control the content of the files. While full control of the bucket does not mean the attacker gains full read access of the objects, the blog notes, they can control the content.

Detectify identifies particular problems and makes a number of recommendations to admins, including making sure WRITE and WRITE_ACP parameters are only set on specific users, never on groups such as AllUsers or AuthenticatedUsers.

“It’s clear after this research that this problem is widespread and hard to identify and completely solve,” warns the vendor, “especially if the company uses a huge amount of buckets, created by different systems. WRITE_ACP is the most dangerous one for reasons mentioned, both on buckets and object.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now