After Australia’s 50k PII cloud leak, AWS launches leaky S3 buckets labels and warnings

  • Liam Tung (CSO Online)
  • 09 November, 2017 04:02
Public labels aim to help admins see which buckets are publicly accessible
Public labels aim to help admins see which buckets are publicly accessible

Amazon Web Services (AWS) has rolled out an update to the AWS S3 Console that offers prominent labels showing which S3 buckets are publicly accessible. 

The new feature comes on the heels of a massive leak due to misconfigured S3 bucket that exposed personally identifiable information (PII) and financial information on nearly 50,000 Australian government and private sector staff. 

The leak was due to an unnamed contractor incorrectly setting an S3 bucket as public. A breach would be worse if there are also no access controls placed on the files within public buckets. 

AWS announced the new “permissions checks” labels on Monday. The S3 Console now displays a yellow “Public” label next to each S3 bucket name if it is publicly accessible. A summary at the top of the page displays how many of the total number of buckets are “public”. 

This should make it more difficult for admins to accidentally leave a bucket public.

The “Public” indicator is also displayed beneath the permissions tab when looking inside a single bucket. The interface tells users whether it’s the Access Control List (ACL), the Bucket Policy or both causing a bucket to be publicly available. It also contains a general warning that AWS recommends admins never grant any kind of public access to an S3 bucket.  

Ensuring that S3 buckets with sensitive information is walled off from the public is a long known challenge for AWS admins. Rapid7 in 2013 discovered 1,951 of identified 12,328 S3 buckets were left open, providing public access to 126 billion files, including personal photos, sales records, staff information and more. 

As reported in July, AWS had notified several customers by email that their S3 bucket ACLs were configure to allow public access. that warning followed the discovery of accessible S3 buckets containing data on millions of Dow Jones customers and millions of Verizon customers.  

Researcher Chris Vickery also recently discovered leaky S3 buckets containing data about Accenture’s Cloud Platform and customers using it. 

AWS has recently updated its advice for S3 bucket public access, which explains the implications of different ACL policies and a description of the difference between "READ" and "WRITE" access on public S3 buckets. READ access can reveal object names without necessarily revealing their contents, while WRITE access could allow anyone to modify or delete objects and use a customer's AWS resources. 

AWS also rolled out a new control that enables admins to mandate that all objects in a bucket are encrypted by default.