Amazon Server Misconfiguration and IT Error Expose Hundreds of Millions of Users’ Data

In the wake of the devastating WannaCry and NotPetya ransom-ware attacks, it was hard to imagine anymore negligence in the IT world. But, just a few short weeks later, security researchers found misconfigured servers and bad defaults, coupled with simple IT errors that exposed hundreds of millions of users’ personal information. Where did they find this information? Amazon. Yes, Amazon – the web service known for securely
loading, storing, and moving large amounts of data.

A Bit of Background

Amazon S3, part of Amazon Web Services (AWS), provides utility storage for a variety of web apps.  S3 is cost effective, globally available, massively scaled and has essentially transformed the storage industry. S3’s architecture allows users and applications to access data in a seamless and efficient manner.  To use S3, you define “buckets” where you want to store data and each bucket gets its own URL. When a bucket is created, the default sharing permissions are set to private, meaning only the account owner that created the bucket can access it.  But data is meant to be shared, so Amazon lets the user extend access to others by defining identity and access management policies.

There are different levels at which permissions can be set, providing flexibility to users. This seems beneficial but many users are not configuring permissions to their buckets correctly, leading to misconfiguration insecurity. The method for managing bucket permissions is not as intuitive as it could be but reading them would have probably helped. Within the Web Services console, the only other sharing option available is “Public,” an option that Amazon tags as “Not Recommended”.

Why is this so bad?

Some of the world’s largest companies are experiencing massive data breaches:

Breaches of this size, with buckets holding a large collection of sensitive information, can be catastrophic.

Who is to blame?

Both user error and Amazon share blame for the series of cloud data leaks. Imagine leaving your house and not locking the front door. Sure, a burglar holds some of the blame if you get robbed, but perhaps you should have taken a little more care in securing the house. IT administrators need to take more precaution when setting permissions to ensure that systems and data are appropriately protected. Reviewing bucket permissions before setting the permissions would be a step in the right direction.

Due to the number of careless mistakes, though, Amazon has to accept some of the blame. They have followed up with a security alert to warn users and encourage them to review bucket permissions. It does raise awareness, but doesn’t solve Amazon’s weak configurations. It also won’t prevent IT admin from taking a shortcut or an outsider from discovering vulnerabilities.

Corporate Awareness Required

The possibility of an outsider uncovering company data should be the most important thing on IT’s mind. Defining checks and balances, identifying weaknesses and running vulnerability scans are best practices. They should be performed before and after a service is published or configuration is made. If you don’t have confidence in your IT department or provider to implement best practices, then you need to start giving marching orders.

These breaches will be topped in the future if the mindset of cyber resiliency across all platforms doesn’t become standard.

Learn about other security issues affecting businesses to help raise awareness:

Phishers on the Hunt – Don’t Get Hooked
Latest Dropbox Phishing Attempt
Losses from Cyber Crime Skyrocket