Responding to the all too familiar news of compromised Amazon cloud storage, security researchers have begun leaving “friendly warnings” on AWS S3 accounts with exposed data or incorrect permissions.
The misconfiguration of access control on AWS storage “buckets” has been behind numerous high profile data breaches, including Verizon, The Pentagon, Uber and FedEx.
Researchers have begun taking security notification into their own hands, with security advice left behind on publicly accessible storage.
These warning messages come in multiple forms from multiple sources, pointing to a plethora of interested parties performing these white hat notifications.
The messages range from the simple “Please fix this before a bad guy finds it” to more complex warnings about the consequences of exposed cloud storage:
Use of Amazon S3 for cloud storage has exploded in recent years as more and more organizations migrate to the cloud. The ease of purchase and use lends itself to quick projects that can often be left unmonitored after project completion.
This, combined with the complex nature of S3 access control, has led to many unused buckets being left forgotten and exposed.
Tools such as BuckHacker and AWSBucketDump make it easy for attackers to scan the AWS S3 storage service for publicly exposed data, and now those same tools are being used by security researchers in a defensive capacity.
By first using these tools to find exposed cloud storage accounts, defenders then upload files containing messages of warning and advice on security.
It is vital that you perform a check-up of your cloud security posture, doubly so if you see warnings or other suspicious behavior in your cloud accounts.
Tripwire has multiple tools to help secure your cloud infrastructure, from cloud storage file integrity monitoring to vulnerability management and breach detection in your cloud computing resources.
The Tripwire Enterprise Cloud Management Assessor can be used to automatically assess your AWS S3 buckets and objects to determine if they are exposed to anonymous access and even report on objects that have become newly exposed as might happen with accidental changes to access permissions.