Leaky AWS S3 buckets have been spilling confidential information onto the public internet for years, and now anonymous hackers have created a search engine to make finding those exposed secrets even easier.
New on the scene is “BuckHacker.” The name is a portmanteau, stemming from the fact that it allows the hacking of “buckets,” which is the name for containers of data within Amazon Web Services Simple Storage Service (S3).
It is a tool designed to allow easy searching of information publicly available in AWS S3. It’s like a Google search just for S3, where up to seven percent of S3 buckets contain public data, according to recent research.
Although previous tools and techniques have been published for finding accidental S3 exposures, BuckHacker is notable for making the process simple, which leads us to our titular question: what are you doing today to keep the confidential data stored in your AWS S3 account private?
If you don’t have a firm answer to the question, there’s a good chance you could find yourself in the headlines as another data dump is discovered.
AWS S3 access control configuration is incredibly complex, and accidental public exposure is all too easy to allow. Every change to access control lists (ACLs) or the bucket policy can cause previously private data to become public. We went into deep detail on the complex nature of S3 access control in a previous post on preventing AWS storage breaches.
The perfect storm is created when configuration complexity is met with tools like BuckHacker, which make it easy for even non-technical attackers to find the leaks in your buckets.
What should you be doing about it? At a minimum, you must manually evaluate all of the ACLs and Policies that affect access to your S3 storage on a continual basis.
Use the principle of least privilege and do not over grant access. A common mistake is granting access to authenticated AWS users, which is effectively public. This means you have given access to every AWS user in the world, not just those in your own organization.
You should also continuously check for the public notification icon within the S3 dashboard, as this notification can alert you to an accidental exposure.
However, be warned. Although the AWS S3 dashboard performs an analysis of the access control mechanisms and will attempt to display a notification if your S3 buckets and objects are public, our testing has shown that the S3 public access notification is not always accurate.
A tool like the Tripwire Enterprise Cloud Management Assessor can be used to automatically assess your AWS S3 buckets and objects to determine if they are exposed for anonymous access and even report on objects that have become newly exposed as might happen with an accidental access policy change.
The Cloud Management Assessor will scan each of the buckets and objects you have stored in Amazon S3 to retrieve metadata, file contents, policy and access control information. It will also monitor each of these gathered values for changes.
For a definitive test, the Cloud Management Assessor can even perform HTTP requests against each object in your S3 account to ensure you have complete knowledge of what is exposed and what isn’t.
We are unlikely to stop seeing AWS S3 data leaks anytime soon, especially with ever greater cloud adoption and tools like BuckHacker to exploit misconfigurations. AWS S3 access control is complex, and you must continuously evaluate the exposure of your private data in order to avoid becoming BuckHacked.