back to article Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets

Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts. The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want …

  1. jake Silver badge

    And the corporate world ...

    ... STILL doesn't understand that increasing the size of the attack surface is always detrimental to security. The mind absolutely boggles that people use clouds for anything remotely important.

    1. Headley_Grange Silver badge

      Re: And the corporate world ...

      If a company can't configure and use its cloud securely what makes you think it would be any better at securing its internal systems?

      1. Ken Moorhouse Silver badge

        Re: what makes you think it would be any better at securing its internal systems?

        Cloud marketing implies you can lay-off all those well-qualified IT staff clogging up the Overheads on the company's annual figures.

        Contrary to this, companies still need their IT staff.

        However, whether they will be inclined to work in an administrative, rather than a technical capacity is another matter. Having to spend hours dealing with reset password requests is not my idea of a fullfilling day's work.

      2. jake Silver badge

        Re: And the corporate world ...

        Shall we address one problem at a time, please? I was discussing increasing the size of the attack surface, not the abilities (or lack thereof) of the staff.

        1. Headley_Grange Silver badge

          Re: And the corporate world ...

          The vulnerability of the attack surface is a function of how big it is and how secure it is. If your security is perfect it doesn't matter how big the attack surface is because no one can get through it. If you've only got one point of attack and it isn't secure then you're at risk. Culture, risk management and funding priorities are the main drivers of good/bad security in most organizations and far more important than "technical" aspects like system design/partition, security policies and staff capabilities in deciding whether your confidential data end up being spaffed all over the web.

          1. yoganmahew

            Re: And the corporate world ...

            Well, not really. An on-premises data centre is securted by firewalls and gateways, often provided by external professionals. It takes some work (or F5 :|) to leave exploitable holes and even then those holes have to be exploited.

            Much cloud storage is individual, each bucket is a separate piece of infrastructure that needs to be individually secured. Failure to secure = no security. It literally takes no effort to see the contents of an unsecured S3 bucket (for example).

            You end up effectlively with hundreds or thousands of datacentres to secure.

            1. tip pc Silver badge

              Re: And the corporate world ...

              "An on-premises data centre is securted by firewalls and gateways, often provided by external professionals. It takes some work (or F5 :|) to leave exploitable holes and even then those holes have to be exploited."

              "firewalls and gateways, often provided by external professionals"

              why have you outsourced your firewall & gateway provision & security to external professionals? They may as well be in the cloud.

              Many things depend on what your incentive is. Internal IT are incentivised to ensure their operations perform correctly, 3rd parties are generally incentivised to ensure they are billing the customer for as much as possible.

        2. Doctor Syntax Silver badge

          Re: And the corporate world ...

          "I was discussing increasing the size of the attack surface, not the abilities (or lack thereof) of the staff."

          Actually, you framed it in terms of businesses understanding that. But it's not the business as some legal entity that understands things, it'sthe people who work there. It matters if that ability remains in the company after the PHBs have done their thing,

      3. Pascal Monett Silver badge

        Because internal IT is managed by someone who is responsible for IT security or has people to do that, whereas these buckets are thrown up by a clueless developer who didn't care enough ?

        1. Doctor Syntax Silver badge

          Or someone elsewhere in the business with a company credit card and an app they got somewhere.

        2. Mr.Nobody

          This is the real issue. Devs who come up with some grand idea and get PHB approval and run off and build something with no involvement with security or IT teams.

          They then stick credentials and PII in unsecured S3 buckets because they had to open up all the perms to get their app to work.

          Security/Compliance/IT teams have no opportunity to help, because the aren't involved.

        3. Steve K

          AWS Default setting is Publicly Inaccessible

          As others have already said:

          The AWS Default setting is Publicly Inaccessible (at least in recent times), so a deliberate effort has to be made - with lots of warnings - in order to make a bucket public.....

          It's possible that an incorrect Global policy might be in place of which a Developer might not be aware, but I'd still say that you have to try quite hard to make an AWS bucket public, since AWS are fully aware of the issues arising from this kind of misconfiguration and so defaults to fail-safe.

      4. Lee D Silver badge

        Re: And the corporate world ...

        If you can pay an outside entity to do the job securely and rent equipment to do it all, then you could afford to pay an internal team MORE, or be of better quality.

        Especially if all these people are doing is dumping your data in a unsecured bucket in the cloud.

        There's a reason I resist cloud-movement of data, and why I insist on keeping the most critical stuff in-house where we can see it, and know where it goes.

        It's all going to come back to bite you, and then Amazon / Azure / etc. are just going say "Your problem".

      5. Anonymous Coward
        Anonymous Coward

        Re: And the corporate world ...

        Internal systems (backends) wouldn't need to be visible to the internet in the first place.

    2. Potemkine! Silver badge

      And the corporate world ...

      is ruled by shareholders and accountants who see IT as a burden and a cost that as to be lowered to the max.

      Undersized crews, overloaded IT teams, outsourced jobs to the lowest bidder... how could it go bad?

      1. Graham Cobb Silver badge

        Re: And the corporate world ...

        Of course this is an IT site so moaning about management priorities is to be expected :-) But I actually know many companies where IT is highly valued, by the board and the shareholders, as an important strength, differentiator and enabler for reducing cost. And even in those who haven't particularly valued IT in the past, the recent spate of ransomware and other attacks is a big focus for the board of all plcs.

        For this issue, and security in general, I think the biggest problem is not cost reducing so much as timescale pressure causing a move to allowing unfinished projects to go into production. That allows things like "for the prototype I have put the key in the source directory - we need to remember to set up a secure way to distribute the keys before we go into production" to be forgotten.

        I think it is less about cost, or even cloud as such, and more about a management misunderstanding of things like Agile and DevOps causing an attitude of "we should let people start using the prototype to see whether we are on the right lines - do whatever operational hacks you need to get that running and we will fix it later". Of course, once the prototype is in use there are many, many, many bugs and change requests coming in and the team can never prioritise removing the temporary hacks.

      2. Anonymous Coward
        Anonymous Coward

        Re: And the corporate world ...

        As a corollary, when did you last hear of accountants being fired after a data breach? (Or anyone except for IT pond life).

        1. Graham Cobb Silver badge

          Re: And the corporate world ...

          Finance Directors sometimes are.

          In many companies IT reports into Finance. And Finance Directors are almost always fired after serious control problems in their domain -- that is, after all, their main job.

          Of course, it is very, very hard to know, unless you are an executive or a board member of such a company, because listed companies very rarely say "we fired our FD" because they don't want anyone to know there has been any problem. But it might be interesting to see how many companies that have had an IT problem have had their FD decide (completely voluntarily, of course) to seek other challenges 6 months later.

    3. Rich 11

      Re: And the corporate world ...

      It's a cost-benefit situation: lower costs, fewer benefits.

    4. hmv

      Re: And the corporate world ...

      On the plus side, it means I've got a job for life :)

      I sometimes semi-seriously suggest that I should work in a team with "insecurity" in the name rather than "security" to try and emphasise that security is part of everyone's job.

    5. Anonymous Coward
      Anonymous Coward

      Re: And the corporate world ...

      "The mind absolutely boggles that people use clouds for anything remotely important".

      But it's cheap! And easy!

  2. Anonymous Coward
    FAIL

    Outsourcing

    When you outsource all your expertise to Amazon, what do you expect?

    1. Ken Moorhouse Silver badge

      Re: When you outsource all your expertise to Amazon, what do you expect?

      Succinct. Like it.

    2. o p

      Re: Outsourcing

      Crappy cloud practices does not imply best on prem practice. S3 is perfectly secure when used correctly, certainly more secure than many on prem solutions.

      1. Version 1.0 Silver badge

        Re: Outsourcing

        And a machine gun is perfectly secure when used correctly too - that doesn't mean that we should be handing them out to kids.

        1. stiine Silver badge

          Re: Outsourcing

          I disagree. I would have killed for a Thompson machine gun when I was a kid.

          1. Qumefox

            Re: Outsourcing

            Probably would have killed with one, too.

      2. jake Silver badge

        Re: Outsourcing

        How can adding more potential attack vectors to corporate security be considered "more secure"? This is a problem over and above the abilities (or lack thereof) of the staff.

        1. Anonymous Coward Silver badge
          Facepalm

          Re: Outsourcing

          Amazon employ people whose role is explicitly to make their infrastructure secure (and pay them handsomely for it). Run-of-the-mill companies don't do such things.

          OK, they also give their customers the tools to defeat that security if they so choose, but that is not the default setting.

          So, AWS comes secure by default. (some) corporate IT drones would hook a windows server up to the internet with all ports open.

          A competent in-house tech however can still beat any cloud based setup.

        2. Doctor Syntax Silver badge

          Re: Outsourcing

          "This is a problem over and above the abilities (or lack thereof) of the staff."

          If the manglement sees moving its data centre to the cloud or the like as a means of saving money on staff who have the ability to secure their infrastructure, wherever taht may be, and can demand commensurate salaries, then the two are intertwined.

    3. Gene Cash Silver badge

      Re: Outsourcing

      Not Amazon's fault this time. Amazon themselves warn against this, and try to make it difficult. People still do it.

      1. hmv

        Re: Outsourcing

        It's the cloud equivalent of 'chmod 777 ...' just to get it working.

        1. Anonymous Coward
          Anonymous Coward

          Re: Outsourcing

          It's depressing the sort of hits you get googling "chmod 777"

          You'd expect lots of hits like DON'T DO THAT! but no.... :-(

          1. Qumefox

            Re: Outsourcing

            It's fine to do for troubleshooting. The issue stems from people treating it like the solution when it fixes things, rather than fixing the actual problem.

        2. Jay 2

          Re: Outsourcing

          Recentlyish I had to set up something to forward proxy logs to Symantec Manged Security Services where some Security Operations Centre lot could look at some sort of dashboard and tell us what nasty things were happening.

          The KB article advised creating a dir in /tmp with 777 permissions in which to store your proxy logs before being sent on via nxlog. I decided to not follow that advice and put something together that was a lot more palatable.

          Not something you'd expect to find in the official blurb for a security-based product.

      2. Anonymous Coward
        Anonymous Coward

        Re: Outsourcing

        I'm also not blaming Amazon, but the people mentioned in this article mention how they "contact Amazon so they can close the vulnerability".

        This imples that Amazon can tell whether a bucket is intentionally open, or just set up badly, so why don't they preempt the need to be contacted?

    4. tip pc Silver badge

      Re: Outsourcing

      Amazon haven't configured the buckets insecurely, its the people that have spun up those buckets that have deliberately made them insecure.

      There is blame but not Amazon to blame.

    5. bombastic bob Silver badge
      Unhappy

      Re: Outsourcing

      When you outsource all your expertise to Amazon, what do you expect?

      Me not being an expert on AWS cloud, I'd think you'd get "best practices".

      But maybe the inherent problem is a LACK of (or knowledge of, or proper documentation of, etc.) a list of properly defined "best practices" to begin with?

      And now I think I have a better understanding as to (maybe) why the US DoD isn't using AWS clouds...

      [I assume that it IS possible to configure things properly, so why aren't people doing it?]

      1. jake Silver badge

        Re: Outsourcing

        "so why aren't people doing it?"

        Because making it and keeping it secure makes it hard for the ignorant, untrained masses to use.

      2. Mike 137 Silver badge

        Re: Outsourcing

        "so why aren't people doing it?"

        In my experience, because once the "cloud" is adopted, the internal folks who previously managed security are typically "let go".

        One of my clients a while back actually TUPE'd its entire IT staff to the cloud provider they'd contracted with, expecting to get the same level of attention from them as when they worked exclusively for that client. Of course, my client was just another contract among many under the new arrangement.

        I had the unenviable job of trying to sort the mess out, and the only way would have been to engage an on-premise tactical IT security management team to oversee the outsource. However that thwarted the purpose, which was to minimise the IT overhead on the balance sheet.

        You get no more security than you deserve.

  3. Ramis101
    Mushroom

    Please tell me some of these were honeypots?

    Please tell me some of these "secrets!" were actually honeypots? and the entire business world hasn't gone cloudy mad?

  4. Doctor Syntax Silver badge

    Once enough businesses have been done over badly enough to show up as case studies in business schools it'll get sorted.

  5. Cynic_999

    But is this legal?

    Maybe searching for, downloading and analysing exposed data is in this case being done with good intentions, but does it not break the law? ISTM that no matter how lax the security, it still amounts to unauthorised access to a computer system. I might be stupid if I leave my car doors unlocked and the keys in the ignition - but if you drive it away without asking, that still makes you a car thief.

    1. Jim Mitchell

      Re: But is this legal?

      Nothing is stolen from its owner, so that car analogy fails.

      1. bombastic bob Silver badge
        Unhappy

        Re: But is this legal?

        never underestimate the ability of a 'gummint' to legislate common sense security and penetration analyses into "illegality" while simultaneously claiming it "protects" you.

  6. joker_morgan

    Percentages

    Hello,

    Wondering how many S3 buckets were looked at to find the 4000. To have any this open is obviously an issue, I would be interested in what the percentage is thoguh.

  7. Anonymous Coward
    Anonymous Coward

    When devs do ops, because ops were just slowing things down.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like