The cloud is a wonderful thing for CIOs — as long as its resources are used in ways that follow the enterprise’s security protocols. When administrators make configuration mistakes they can be serious.
That’s what some organizations have recently found when staff using Amazon Simple Services (AWS S3) storage buckets failed to properly secure the containers and allowed external access to the data. One of the victims was Verizon Communications. Thanks to a misconfigured repository created by an Israeli partner, subscriber information on at least 6 million U.S.-based Verizon customers was potentially publicly available. A researcher discovered the hole and disclosed it to Verizon, which believes none of the data was actually stolen.
But the incident does show how sensitive configuring S3 stores is. Detectify Labs, which offers an automated Web site vulnerability checking service, has created a tutorial on what admins should do. It calls S3 “a Dropbox for IT and tech teams,” and as any infosec pro knows temporary cloud storage like Dropbox can be a security nightmare.
To start at the beginning, Detectify points out that the S3 bucket name is not a secret, and there are many ways to figure it out. Once an attacker knows it, there are multiple misconfigurations that can be used to either access or modify information. By using the AWS Command Line to talk to Amazon’s API, the attacker can get access to list and read files in S3 bucket, write/upload files to S3 bucket or change access rights to all objects and control the content of the files. While full control of the bucket does not mean the attacker gains full read access of the objects, the blog notes, they can control the content.
Detectify identifies particular problems and makes a number of recommendations to admins, including making sure WRITE and WRITE_ACP parameters are only set on specific users, never on groups such as AllUsers or AuthenticatedUsers.
“It’s clear after this research that this problem is widespread and hard to identify and completely solve,” warns the vendor, “especially if the company uses a huge amount of buckets, created by different systems. WRITE_ACP is the most dangerous one for reasons mentioned, both on buckets and object.”