As AWS S3 becomes more attractive to customers, it also becomes a more exciting target for attackers. Today, we explore several real-life incidents of AWS S3 misconfigurations and data breaches. We also provide tips to help AWS customers securely configure their S3 buckets and prevent similar incidents from occurring.
AWS S3: Best Data Storage Service
AWS Simple Storage Service (S3), one of the most powerful and used services today, was launched to meet the storage needs of amazon.com in 2006. If we want to summarize most simply, this service has been used to store data for about 15 years. This data can be any text file, a photo, a code file, a backup file, in short, any kind of file we can think of. Since we can store different data types, AWS S3 is frequently used for various purposes including, backup and recovery, disaster recovery, data archives, data lakes for analytics, and hybrid cloud storage.
In addition to these, AWS aims to provide scalability, high availability, and low latency with 99.9% durability and between 99.95% to 99.99% availability with low cost for AWS S3. With these features, AWS S3 has become a powerful data storage service that can be quickly integrated into different architectural scenarios for customers.
What is AWS S3?
AWS Simple Storage Service (S3), was launched to meet the storage needs of amazon.com in 2006 and it has been used to store any kind of data including, text files, a photos, a code files, a backup files, and more.
As it becomes attractive for AWS customers, it becomes an exciting topic for attackers. Almost every day, we read news about data leaks. Data leaks are becoming extremely critical for companies if the necessary and correct AWS S3 configurations are not made.
According to data leak reports in 2020, almost 27 billion records are exposed. For this process, AWS has some role to play as well as customers. For example, AWS has changed its UI over time to provided more feedback and warnings when actions were to make private resources public. This has helped reduce the number of AWS S3 Buckets responsible for data leaks but, unfortunately, incidents involving these systems still happen.
In the section below, we have summarized some critical hacking news related to AWS S3. After these, let’s see together what we can do to prevent these AWS S3 hacks.
Cosmolog Kozmetik Data Breach – Jun 2021
Cosmolog Kozmetik is a Turkish firm that deals with the sale and shipping of beauty products. This June, WizCase’s security team found an extremely critical data breach in Cosmolog Kozmetik’s system. This data breach exposes users’ names, email addresses, physical addresses, phone numbers, and order details. However, no credit card information or password was found.
The data breach is also critical for user privacy and regulatory processes such as GDPR and KVKK. You can see some user credentials below:
So, how did this data breach happen? The security team has detected a misconfigured AWS S3 bucket. As all we know, there was no need for user credentials for getting bucket details from a public or misconfigured AWS S3 bucket. In addition to this, breached data is not encrypted with any keys on the server or client-side. With these misconfigurations, getting the user credentials is extremely simple. Sometimes one or two AWS CLI commands are enough for downloading all data.
To get all data breach details, you can check out the WizCase report.
Lehi Based Company Patient Data Records Breach – Feb 2021
In February, Premier Diagnostics’ approximately 52,000 patient records, including PII, were left exposed because of common cloud misconfiguration – AWS S3 Public Bucket. Also, Premier Diagnostics operates COVID-19 testing. To get tested, customers must submit pictures of their insurance ID cards and user ID cards. Attackers can access all that personal and private data with minimal effort. There is no authentication and authorization mechanism for getting patient data. If you got tested for COVID-19 from Premier Diagnostics, it is recommended to check future medical bills for any suspicious charges.
Also see: AWS IAM for Red and Blue Teams
Twilio JavaScript SDK Code Injection – Jul 2020
Twillo is the worlds leading cloud communication platform as a service company that allows software developers to programmatically make and receive phone calls, send, and receive text messages. In July 2020, they published a security incident report related to TaskRouter JS SDK code injection to affect their customers. With this code injection, users’ browsers load external URLs. So, how could this code injection happen? The answer is simple: Misconfigured AWS S3 buckets.
They said they have an AWS S3 bucket policy that has permission to read and write to that specific path. The AWS S3 bucket policy looks like below:
{
"Sid": "Twilio",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<S3 Bucket Name>"
}
After gaining read and write access to the AWS S3 bucket anonymously, attackers using the TOR anonymizing network put a modified version of taskrouter.min.js in the AWS S3 bucket path. As you see, in this case, there is not any data leak, but we could easily say attackers want to detect misconfigured AWS S3 buckets that are owned by large companies and use them for their financial gain.
Additional note: During the review, the Twilio team realized that this bucket path was added in 2015 with private write access. 5 months later, the team changed the bucket policy permissions (add public write access) to solve a development problem and never check the policy again.
PhotoSquared App Personal Data and Sensitive Photos Leak Jan 2020
PhotoSquared is a popular photography app available on iOS and Android. In February, researchers found an unprotected AWS S3 bucket that belonged to them. It includes over a million user records up to 94.7GB of data. Specifically, data leak includes sensitive information such as users’ photos uploaded for editing, PDF orders, etc. Besides the user photos, personal user data has been discovered such as the full names of users, addresses, and order values in USD.
This kind of data breach could affect customers in many ways including, online theft, credit card fraud, phishing, spyware/ransomware activities, etc. The exposed server is now offline, but the company has not shared anything about this data leak on its websites or social media accounts.
This article may interest you: Introduction to AWS Cloud Development Kit
How to configure secure AWS S3 Buckets?
As AWS customers, we should configure AWS S3 to prevent these issues. We prepared a list for you for this purpose:
- We should always follow the principle of least privilege.
- Blocking public access to all or some AWS S3 buckets is a company decision on data sensitivity, least privilege, and use case. We should always think of blocking public access as the first option.
- We should prevent unauthenticated write or read permissions with AWS S3 bucket policies.
- Encryption-at-rest should be configured for S3 buckets with AWS KMS keys.
- AWS S3 Bucket Policy should allow HTTP requests only.
- Multi-factor authentication (MFA) delete should be enabled.
- AWS CloudTrail should be used to monitor and detect unusual activity related to AWS S3.
- AWS Trusted Advisor should be used, it helps all customers better secure their data by providing the AWS S3 Bucket Permissions.
- AWS Macie should be used to gain visibility of your data security posture.
Conclusion
In this blog post, we summarized some real data breaches and misconfiguration scenarios related to the AWS S3 service. Also, we have provided a list of how to configure your AWS S3 buckets. We hope you find it helpful, thank you for reading.
If you need help securing your cloud infrastructure, don’t hesitate to check out our Cloud Security and Vulnerability Management services to stay secure.