Page 93 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 93

locked down to just the account owner and root administrator under default configurations, the
                   salesperson did not follow AWS best practices with this particular bucket.”


            How Did These S3 Buckets Get Exposed?

            Often times the S3 Bucket configuration is incorrect. The created container permissions may have been
            too broad which allows anyone to access the data. Again, these S3 Buckets may have been serviced by
            people who aren’t familiar with security, thus the developer who created the container was unaware of
            how to properly secure it, or it was something as simple as an oversight. For example, in Spyfone’s case,
            they may have had a developer who was troubleshooting an issue that was causing an application to fail
            and  suspected  the  S3  Bucket  access  was  to  blame.  The  developer  may  have  tweaked  the  S3
            configuration leaving it open to the public, and as the application began working again, moved on to
            another project. Now they have an exposed S3 Bucket. As in the case of GoDaddy, it may not have even
            been the developer’s fault as someone else may have altered the bucket’s configurations at a later date
            for any number of reasons. The point is, so many organizations are made vulnerable because a lot of
            them don’t have processes that prevent insecure software deployments.







            How Do Organizations Avoid S3 Bucket Leaks?

            For starters, as the AWS representative told Engadget, these organizations could have done nothing.
            Amazon S3 buckets are private by default and can only be accessed by users that have been explicitly
            given access. Again, by default, the account owner and the resource creator are the only ones who have
            access to an S3 bucket and key, so someone has to actively misconfigure an S3 to expose the data.



            Amazon has been actively working to help companies avoid breaches caused by misconfiguration. In
            November 2017 AWS added a number of new Amazon S3 features to augment data protection and
            simplify compliance. For example, they made it easier to ensure encryption of all new objects and monitor
            and report on their encryption status. They have also provided guidance on approaches to combat this
            issue, like the use of AWS Config to monitor for and respond to S3 buckets allowing public access.



            As a most basic first step to avoiding S3 bucket leaks, take advantage of the native AWS capabilities.
            Ensure that you are always purposefully using AWS S3 access policies to define who can access the
            objects  stored  within.  Ensure  your  team  is  well  trained  to  never  open  access  to  the  public,  unless
            absolutely necessary, as doing so can result in the exposure of PII and other sensitive data. And help
            prevent unauthorized access to your data by taking advantage of capabilities like AWS Config.







                                 93
   88   89   90   91   92   93   94   95   96   97   98