Leaky Amazon S3 Buckets: Challenges, Solutions and Best Practices

Thomas Cappetta

Amazon Web Service (AWS) S3 buckets have become a common source of data loss for public and private organizations alike. Here are five solutions you can use to evaluate the security of data stored in your S3 buckets.

For business professionals, the public cloud is a smorgasbord of micro-service offerings which provide rapid delivery of hardware and software solutions. For security and IT professionals, though, public cloud adoption represents a constant struggle to secure data and prevent unexpected exposure of private and confidential information. Balancing these requirements can be tricky, especially when trying to adhere to your organization’s unique Corporate Information Security Policies and Standards.

Amazon Web Service (AWS) S3 buckets have become a common source of data loss for public and private organizations alike. Industry researchers and analysts most often attribute the root cause of the data loss to misconfigured services, vulnerable applications/tools, wide-open permissions, and / or usage of default credentials.

Recent examples of data leaks from AWS storage buckets include:

Data leakage is only one of the many risks presented by misuse of AWS S3 buckets. For example, attackers could potentially replace legitimate files with malicious ones for purposes of cryptocurrency mining or drive-by attacks.

To make matters worse for organizations (and simpler for hackers), automated tools are available to help find insecure S3 buckets.

How to protect data stored in AWS S3 buckets

Going back to the basics provides the most direct path to protecting your data. Recommended best practices for S3 buckets include always applying the principle of least privileges by using IAM policies and resource-based controls via Bucket Policies and Bucket ACLs.

Another best practice is to define a clear strategy for bucket content by taking the following steps:

  • Creating automated monitoring / audits / fixes of S3 bucket security changes via Cloud Trail, Cloud Watch and Lambda.
  • Creating a bucket lifecycle policy to transfer old data to an archive automatically based on usage patterns and age.
  • When creating new buckets, applying encryption by default via server-side encryption (SSE-S3/SSE-C/SSE-KMS) and / or client-side encryption.
  • Creating an S3 inventory list to automatically report inventory, replication and encryption in an easy to use CSV / ORC format.
  • Testing, testing and testing some more to make sure the controls mentioned above have been implemented effectively and the data is secure.

Here at Tenable, I have researched five additional solutions you can use to evaluate the security of data stored in S3 buckets. These five solutions, when implemented correctly and incorporated into daily operational checklists, can help you quickly assess your organization’s cyber exposure in the public cloud and help you determine next steps for securing your business-critical data.

  • Amazon Macie: Automates data discovery and classification. Uses Artificial Intelligence to classify data files on S3 by leveraging a rules engine that identifies application data, correlates file extensions and predictable data themes, with strong regex matching to determine data type, cloud trail events, errors and basic alerts.
  • Security Monkey: An open source bootstrap solution on github provided by Netflix. This implements monitoring, alerting and an auditable history of Cloud configurations across S3, IAM, Security Groups, Route 53, ELBs and SQS services.
  • Amazon Trusted Advisor: Helps perform multiple other functions apart from identifying insecure buckets.
  • Amazon S3 Inventory Tool: Provides either a CSV or ORC which further aids in auditing the replication and encryption status of objects in S3.
  • Custom S3 bucket scanning solutions: Scripts available on github can be used to scan and check specific S3 buckets. These include kromtech’s S3-Inspector and sa7mon’s S3Scanner. In addition, avineshwar’s slurp clone monitors certstream and enumerates s3 buckets from each domain.

With the business demanding speed and ease of use, we expect to see the continued evolution of applications, systems and infrastructure away from on-premises data centers secured behind highly segregated networks to cloud-based “X-as-a-Service” architectures. The solutions and guidance highlighted above will help you identify security gaps in your environment and bootstrap solutions to automate resolution, alerting and auditing, thereby helping you meet your organization's Corporate Information Security Policies and Standards.

Learn more:

Read more >

Published on Aug 9, 2018

People also viewed

Customer Success Manager - ANZ

North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

Field and Channel Marketing Manager, Nordics and Benelux

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

Finance & Investor Relations Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

Senior Data Engineer

Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

Technical Support Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.