It is very difficult today to find any security professional who has not yet faced the challenge of implementing a process or even a secure structure based on cloud solutions.
It is very likely that this type of solution and design is still designed to be implemented at AWS, the framework of Amazon Web Services.
Also, each of these professionals has some history related to the configuration or even security flaws with Amazon S3 that are often not caused by their actions, but by the lack of understanding or even the failure of a configuration.
The AWS S3, Amazon Simple Storage Service is a storage service offered by Amazon within its framework, they are also known as Buckets, they are incredibly versatile and this can be one of their greatest benefits but also a problem when used and configured by inexperienced people.
By default, S3s already come with the privacy settings adjusted so that their content is classified as private, however, often this same content needs to be shared with other people or systems, and this is when the problem arises.
Depending on the level of knowledge or even experience of the professional with this type of solution, some misconfigurations can be made and put the data at risk.
Fragile configurations
In these last months, we have been following some cases where the fragility of configurations or even a wrong configuration has exposed a lot of data that can lead the user to numerous problems.
In February 2020, researchers at VPNMentor reported a data leak that may have exposed private data from over 1000 consulting firms in the United Kingdom (UK).
At another event, also in the UK, a video production company had several data from its actors and participants of advertising pieces leaked due to a gap in an S3 as well. And here it is worth the reinforcement: the failure occurred not because the service has flaws, but because it was badly configured and adjusted.
Therefore, the issue here is that unfortunately we have been following with great apprehension the growth of this type of leak that may have being exploited for quite some time, without the owner of the S3 service knowing.
User error
As we put it before, by default Amazon S3 service comes with access settings adjusted so that the data is private, which leads to the need to put some data as public when there is the need for access by a third party or even an external application.
This possibility exists and it is completely possible to configure the service to securely deliver the information.
What is often observed is that the professional who performs the configuration has not yet understood very well the functionality of the service and or even how to perform such a configuration correctly, which involves some steps.
It is clear that these errors are not committed intentionally, we know that what we perceive as configuration failures are actually failures that occur due to the lack of a better understanding of the service and its configurations.
We are still an early stage of the working model totally in the cloud, we still have much to improve.
Amazon has a number of documents that we strongly suggest reading and understanding, these documents can be read here. They are a set of texts that bring valuable information about the service and how to implement security.
Consequences
It is easy to imagine that such a problem with AWS S3 could have serious consequences for the companies that have this data.
The possibility of data being leaked in an environment where we have various data privacy laws being implemented is a serious problem, and can bring companies to a substantial financial loss.
If we stop thinking only about companies and put the data owner in focus, we can imagine that the consequences are very big, because with this data, the attackers can perform a series of scams.
However, the amount of data that a leak can cause is very difficult to be measured, because it depends on many other factors. An example is the amount of individual data leaked, or even the type of data leaked, the interest of the attacker and so on.
What is certain is that if there is a leak, the impact on the owner of the data will be enormous, and consequently, companies will also suffer from it.
As companies, what we have to remember is that the data that is under our responsibility is not really ours, and we need to keep such data very secure.
We need to understand that, if we cause any harm to anyone, we must bear the responsibilities and penalties that, in current legislation, may fall on companies.
Remediation
First we have to mention that the failures so far identified in Amazon’s S3 service are not related to the fragility of the service, but to the lack of knowledge or even the wrong configurations made by the users.
Therefore, some care should be taken.
As already commented, Amazon keeps a detailed security material of its S3 service available for free so that everyone interested in using its service can adequately protect themselves.
However, we can mention three basic actions:
- Make sure, when setting up S3, that you have left your status as “private” and, when necessary, add authentication protocols.
- Follow Amazon’s guidelines on proper access and authentication settings.
- Always add more security levels to your S3 to restrict who may or may not have access to your content.
This list is just a small reminder of what can be implemented and can’t be taken as a complete S3 secure configuration procedure. Always look for more information in Amazon’s own documentation.
The issue of so many data leaks through this service should not be something that will cause you to think about stopping using S3. They only show that you need to use and configure it correctly.
We believe that alerting our readers to this is one of our responsibilities with data protection and applications.
We hope that with this article we can have started a process of discussion about the best ways to use this service, which can be used in many ways, bringing to many structures an ease and practicality of construction.
If you liked this article, keep an eye on our social media to stay informed about more content about the appsec world. That’s where you learn first about our webinars, videos and podcasts.
