Increased attacker focus on exposed cloud services, specifically AWS Simple Storage Service (S3) Buckets
Issue
Amazon’s cloud-based Simple Storage Service Buckets, colloquially referred to as “S3 Buckets”, have been a recent focus of attackers and security researchers. With the advent of new open source and publicly-available tools to search for improperly configured S3 buckets, bad actors and information security firms have found many cases where the buckets’ owners have inadvertently granted access to every user on the Internet.
Internet-accessible S3 buckets have multiple risks. In cases of world-wide read-only access, the discoverers have found personally-identifiable information (PII) and other sensitive data. In at least one case of world-wide write access, the discoverer found a production website hosting content directly from the bucket, such that any Internet user could alter the website’s content. A bad actor could drastically change the overall presentation of the site and would likely add hostile JavaScript code that would run in every visitor’s browser, including key-loggers or crypto-coin mining clients. When discovered, this could ultimately reduce customer faith in the company owning the S3-backed site.
In moving to cloud-hosted services, many organizations have failed to heed widespread warnings with this message:
Organizations must secure and monitor cloud-based services just as strongly as with traditional on-premise infrastructure.
Impact
The impact from exposure of Amazon S3 is varied, depending on an organization’s adoption and configuration of Amazon’s cloud-based storage infrastructure:
Known adoption of Amazon S3: The risk level varies from low to critical, depending on individual bucket configuration for read/write access, a granularity of defined accesses, types of content stored, and use cases for the stored content. The overall level of risk would be determined by these factors and will be different for each individual bucket within an organization’s cloud infrastructure.
No known adoption of Amazon S3: The current risk is undefined, and merits analysis to identify whether your organization is using S3 and if it is – see above.
Recommendations
InGuardians recommends performing a self-assessment of existing S3 Buckets using currently available tools, such as AWSBucketDump and BuckHacker. Results of these tools should then undergo a thorough inventory and risk analysis.
In addition to these open source tools, Amazon makes the AWS Trusted Advisor tool available to customers with a Business or Enterprise-level support plan. Trusted Advisor can analyze an AWS environment, including its S3 buckets, and make best practice recommendations.
Additional Resources
Tesla Cryptojacked by Currency Miners
https://nakedsecurity.sophos.com/2018/02/22/tesla-cryptojacked-by-currency-miners/
AWSBucketDump, an Open Source S3 Bucket Search Tool
https://github.com/jordanpotti/AWSBucketDump
BuckHacker, an S3 Search Engine
https://www.thebuckhacker.com/
AWS S3 Documentation: Which Access Control Method Should I Use?
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html#so-which-one-should-i-use
AWS Trusted Advisor