AWS S3 — The Misconfiguration Champ

When people think of Amazon, they think of fast delivery, cheap prices, and a limitless inventory of things to buy. Still, to this day, many don’t know that Amazon is the cloud powerhouse that it is. In fact, the next Amazon CEO is Andy Jassy, the leader of Amazon Web Services (AWS) since its formal inception in 2006.

The AWS myth-making story is that excess e-commerce compute was re-purposed into consumable IT services. In reality, a deliberate business model was created to build AWS from the ground-up. The launch of Simple Storage Service (S3) in 2006 allowed developers to use an infinite scale of storage capability without having to worry about deploying new storage hardware, managing the power and cooling, or dealing with storage service maintenance. With S3, data resides in the AWS cloud and is accessible whenever and wherever it is needed. Fast forward 15 years later…

S3 — The Champ

Today, S3 remains one of the most successful and ubiquitous cloud services in history. Arguably, it can be considered the most important cloud service of all-time.

As the cloud storage heavyweight, and holding over 100 Trillion Objects of data, S3 is also a top (possibly the top) target for cybercriminals. Hackers, Cybercriminals and opportunistic thieves actively exploit S3. Although it’s called “simple” storage service, in my opinion there is operational complexity due two primary factors:

  1. The AWS natural feature evolution has increased the S3 attack surface, requiring new security layers and increasing operational complexity for admins.
  2. Application, Infrastructure, and Security teams all have admin capabilities to edit policies or security controls that may inadvertently expose S3 buckets.

Twilio’s S3 misconfiguration happened in a benign and yet common manner. S3 bucket permissions were changed to help resolve an issue, but were never changed back. Someone “forgot” or were not incentivized to change it back to the original state.

Or, with this hack, public data was exposed due to poor S3 security for folks that just want to share recipes.

S3 Safeguards

S3 Security Safeguards are in place. When creating a new storage bucket, the default behavior is to block all public access.

The “Block all public access” default setting is actually a super-setting of 4 different ways to allow public access to S3 contents: new or existing object ACL’s and new or existing S3 access point policies.

Assuming we’ve deselected the “Block all public access” option during bucket creation, when uploading contents to the newly created S3 bucket we also assign permissions to the object uploaded.

And if the “Grant public-read access” is selected, AWS notifies you that the object will be publicly available.

So what ultimately happens is that private data is placed in an open-to-the-public bucket or permissions for a bucket with private data are changed to enable public access. Additionally, there are other ways to secure (or insecure) S3 around Access protection and Data protection using IAM policies, Encryption, Object Versioning, and others.

These misconfigurations remain a top concern for cloud executives as we continue in 2021.

Additional Reading:

Cloud Networking, Blockchain Developer