Security researchers have identified publicly available S3 storage buckets on at least one high profile site. While this is a legitimate concern, it presents a timely opportunity for all cloud administrators to revisit their own security policies and take action. Security for Amazon Web Services, like most cloud platforms, is achieved through a “Shared Security Model,” where AWS provides secure hardware, software, and data centers and users are expected to follow best practices. This is a lot like a contractor that builds a door with a strong lock, but the homeowner is expected to use the key.
In the most recent example, Deep Root Analytics stored the data of nearly 200 million voters on an S3 bucket. However, Deep Root did not follow best practices and protect that data using even a simple password, let alone encryption, as Amazon offers and recommends. This is the kind of rookie mistake that could have easily been caught by CloudCheckr’s Best Practice Checks. Instead, Deep Root Analytics relied on “Security through Obscurity,” assuming that if hackers didn’t have the web address of the data, it was safe. This is like leaving your door closed but unlocked.
That didn’t stop cybersecurity experts from simply leveraging Google or “brute force” techniques to access the proprietary information. Estimates are that during the first two weeks of June, data was exposed from 198 million U.S. citizens. The security researchers acted swiftly to alert Deep Root, but hackers could have accessed it just as easily.
The founder of Deep Root took “full responsibility for this situation,” but the damage is done. This incident demonstrates that even data experts can get it wrong, and how important it is to have an automated, self-healing, security checking platform in place to prevent such events from happening.
While the S3 buckets were exposed to the public, locking them down to just Authenticated Users could be dangerous as well, causing a false sense of security because a hacker could get in through a back door. CloudCheckr’s Best Practice Checks also cover List, Update, and Delete Permissions, which could have let hackers corrupt data as well as read it.
Fortunately, CloudCheckr has developed a free tool that anyone can use to check the status of their AWS S3 buckets. Visit CloudCheckr S3 Breach Check and type or paste in the URL of your bucket. The tool will tell you if your S3 bucket is publicly accessible or not. This critical insight is free and open to anyone, giving you just a glimpse of the value of using CloudCheckr.
“This time it was S3 buckets” CloudCheckr founder Aaron Newman notes. “Next time it could be a different misconfiguration or a different cloud platform. CloudCheckr incorporates over 450 Best Practice Checks to keep your business secure and out of the headlines, at least for the wrong reasons.” Get started with a free 14-day trial to experience CloudCheckr’s full suite of Best Practice Checks and more.
Cloud Resources Delivered
Get free cloud resources delivered to your inbox. Sign up for our newsletter.