{"id":3113,"date":"2018-02-26T12:38:14","date_gmt":"2018-02-26T19:38:14","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3113"},"modified":"2019-08-19T13:40:28","modified_gmt":"2019-08-19T20:40:28","slug":"increased-attacker-focus-on-exposed-cloud-services-specifically-aws-simple-storage-service-s3-buckets","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/increased-attacker-focus-on-exposed-cloud-services-specifically-aws-simple-storage-service-s3-buckets\/","title":{"rendered":"Increased Attacker Focus on Exposed Cloud Services, Specifically AWS Simple Storage Service (S3) Buckets"},"content":{"rendered":"
Issue<\/strong><\/p>\n Amazon\u2019s cloud-based Simple Storage Service Buckets, colloquially referred to as \u201cS3 Buckets\u201d, have been a recent focus of attackers and security researchers. \u00a0With the advent of new open source and publicly-available tools to search for improperly configured S3 buckets, bad actors and information security firms have found many cases where the buckets\u2019 owners have inadvertently granted access to every user on the Internet. Impact<\/strong><\/p>\n The impact from exposure of Amazon S3 is varied, depending on an organization\u2019s adoption and configuration of Amazon\u2019s cloud-based storage infrastructure:<\/p>\n Known adoption of Amazon S3: The risk level varies from low to critical, depending on individual bucket configuration for read\/write access, a granularity of defined accesses, types of content stored, and use cases for the stored content. The overall level of risk would be determined by these factors and will be different for each individual bucket within an organization\u2019s cloud infrastructure.<\/p>\n No known adoption of Amazon S3: The current risk is undefined, and merits analysis to identify whether your organization is using S3 and if it is – see above.<\/p>\n Recommendations<\/strong><\/p>\n InGuardians recommends performing a self-assessment of existing S3 Buckets using currently available tools, such as AWSBucketDump and BuckHacker. \u00a0Results of these tools should then undergo a thorough inventory and risk analysis.<\/p>\n In addition to these open source tools, Amazon makes the AWS Trusted Advisor tool available to customers with a Business or Enterprise-level support plan. Trusted Advisor can analyze an AWS environment, including its S3 buckets, and make best practice recommendations.<\/p>\n Additional Resources<\/strong><\/p>\n Tesla Cryptojacked by Currency Miners<\/p>\n https:\/\/nakedsecurity.sophos.com\/2018\/02\/22\/tesla-cryptojacked-by-currency-miners\/<\/a><\/strong><\/p>\n AWSBucketDump, an Open Source S3 Bucket Search Tool<\/p>\n https:\/\/github.com\/jordanpotti\/AWSBucketDump<\/a><\/strong><\/p>\n BuckHacker, an S3 Search Engine AWS S3 Documentation: Which Access Control Method Should I Use? AWS Trusted Advisor<\/p>\n
\nInternet-accessible S3 buckets have multiple risks. In cases of world-wide read-only access, the discoverers have found personally-identifiable information (PII) and other sensitive data. In at least one case of world-wide write access, the discoverer found a production website hosting content directly from the bucket, such that any Internet user could alter the website\u2019s content. \u00a0A bad actor could drastically change the overall presentation of the site and would likely add hostile JavaScript code that would run in every visitor\u2019s browser, including key-loggers or crypto-coin mining clients. When discovered, this could ultimately reduce customer faith in the company owning the S3-backed site.
\nIn moving to cloud-hosted services, many organizations have failed to heed widespread warnings with this message:
\nOrganizations must secure and monitor cloud-based services just as strongly as with traditional on-premise infrastructure.<\/p>\n
\nhttps:\/\/www.thebuckhacker.com\/<\/a><\/p>\n
\nhttps:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/access-control-overview.html#so-which-one-should-i-use<\/a><\/p>\n