Sign in / up

back to article Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

After watching customer after customer screw up their AWS S3 security and expose highly sensitive files publicly to the internet, Amazon has responded. With a dashboard warning indicator. Simple, and hopefully effective. For months now we have been reporting on researchers finding open S3 buckets packed full of confidential …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    “accidentally left open” is incorrect...

    S3 buckets are private to an account *by default* when they are created (and have been since 2006). Users have to actively and deliberately modify permissions to make them accessible outside of their own account.

    http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html

    4 1 Reply
    1. diodesign (Written by Reg staff) Silver badge
      Reply Icon

      Re: “accidentally left open” is incorrect...

      Apologies for being too generous. We wanted to give people the benefit of the doubt - Occam's razor and all that. If "accidentally" triggers you, just image the word "stupidly" in its place, instead.

      C.

      6 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: “accidentally left open” is incorrect...

        I am now triggered by you writing that something you wrote may have triggered something or someone somewhere. I need a safe space of safe spaces to retreat into. Can I configure this in S3? Don't say no, because denying is abuse.

        4 0 Reply
    2. James R Grinter
      Reply Icon

      Re: “accidentally left open” is incorrect...

      It only takes use of a tool uploading an object with a “public” ACL to make some content public.

      It’s easily done: one of my colleagues had it happen with some autogenerated CI reports, not fully appreciating the significance of HTML in an S3 bucket that they could directly access via a web browser (it had a “complex”URL path, but required no authentication)

      You can write an S3 policy to prevent public ACLs on objects, at the expense of breaking tools like the above, but it’s hard (impossible?) to write one that enforces access to only IAM users from your account - unless you are willing to modify the policy for every user you add or remove.

      0 0 Reply
    3. GnuTzu
      Reply Icon
      Megaphone

      Re: “accidentally left open” is incorrect...

      O.K., then why is stupid so popular? Or, is this something that when they need to make it available to a partner it's easy to screw up?

      0 0 Reply
  2. jake Silver badge

    So basically an idiot light.

    It should work just as well as the ones in automobiles.

    (I borrowed the FIL's car once. The "check engine" light was on. Turned out to be 3.5 quarts oil low. An American V8, down to 1.5 quarts! When I asked him about it, he said he never pays attention to the lights on the dash because "They are only there to make money for the mechanics". I kid you not. Believe it or not, this guy has a Doctorate ... )

    8 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: So basically an idiot light.

      Believe it or not, this guy has a Doctorate

      In stupidity?

      5 0 Reply
      1. jake Silver badge
        Reply Icon

        Re: So basically an idiot light.

        Close. JSD. He was a judge for quite a few years, too (elected).

        <insert joke here>

        3 0 Reply
        1. hplasm
          Reply Icon
          Coat

          Re: So basically an idiot light.

          "Close. JSD."

          Ah - a Doctor of JavaScript.

          1 0 Reply
    2. Anonymous Coward
      Reply Icon
      Unhappy

      Re: So basically an idiot light.

      It always astonishes me (ok, irritates me) how people like him breeze through life unencumbered by bother often because people like you pick up the slack. I'm with you: I'd have acted on the warning light. But he'll have got away with not doing so for years. For me, the day I didn't act on the light, would've been the day engine got ruined somewhere very public.

      5 0 Reply
      1. Paul Mitchell
        Reply Icon
        WTF?

        Re: So basically an idiot light.

        Ah, the old HomerSimposon/Frank Grimes scenario...

        3 0 Reply
      2. Missing Semicolon Silver badge
        Reply Icon

        Re: So basically an idiot light.

        But, the Judge is in some senses, right. Take the car in to a dealer, and they'd charge you $50 for the oil, then another $70 to plug in the diagnostic computer and cancel the light.

        1 0 Reply
        1. alferdpacker
          Reply Icon

          Re: So basically an idiot light.

          Or... buy some engine oil for a few quid and pour it into the engine? Look for the little oil canister symbol.

          I last owned a car 10 years ago so I don't claim this information is up to date.

          0 0 Reply
  3. Mark 85 Silver badge

    So are the "lights" and "warnings" only for new accounts or will they be retroactively fitted? Will anyone with a existing account/bucket bother to look at them? Will change their setup? Given human nature... I suspect the answer is "no".

    4 0 Reply
    1. Adam 52 Silver badge
      Reply Icon

      Retrospective.

      Yes.

      Yes. I fixed a misconfigured bucket yesterday (it was set to public list, private get so no risk of data loss and the bucket policy looked good but better to hide as much as possible).

      3 0 Reply
  4. Anonymous Coward
    Thumb Up

    Seems sensible to me.

    ^ this.

    3 0 Reply
  5. Timbo 1

    Non-story really

    As already mentioned AWS have pretty much a deny-by-default policy across all their services. If companies are employing/outsourcing people to manage their cloud infrastructure that don't know what they're doing, that's their problem. I'm pretty certain AWS also warns before applying securing settings if something is left open to the world as well.

    Additionally, anyone using a service like S3 should probably also be locking down access further with bucket policies for example. If nothing else than to restrict the sources of the requests.

    Never underestimate the ability for idiots to create problems.

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like