Avoid This AWS Security Blunder, or Make The News

UPDATE 11/18/19: Added some additional notes to include mention of AWS Config, Zelkova, and some info about tools by Rhino Security Labs like Pacu (thanks to input by @andrewbrown!)

S3NakedInPublic: The Common Misconfiguration that Lands Companies in The Wrong Spotlight

Again and Again

Companies continue to make the news. Two, in particular, led to this post. One was a dating app, where private photos were publicly available for a year. fn1

They're being fined $240,000.

The second company? An IT firm:

"The leaky AWS S3 buckets contained information on Attunity's own operations, but also data from some of its customers – Fortune 100 companies like Ford, Netflix, and TD Bank." fn2

They Are Not Alone

These others may sound familiar, and they struggled with the same mistake (bold emphasis by the author of this article):

"The UpGuard Cyber Risk team can now report that 73 gigabytes of downloadable data belonging to Washington-based internet service provider Pocket iNet was publicly exposed in a misconfigured Amazon S3 storage bucket." fn3

"Once again, an Amazon S3 bucket with no specific authorization required, merely knowledge of the file path which is obviously stored in the app itself (returned via the API)...The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children." fn4

"The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed 'Red Disk.'...The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download. Unprotected storage buckets have become a recurring theme in recent data leaks and exposures." fn5

What Is Going On?

Reports have been steady for nearly the past decade. Some articles refer to it as a "leaky bucket." Others say a company was "leaving a server unsecured," or configuring online storage "without a password."

The service consistently cited? Amazon Simple Storage Service (S3). These articles continue referring to the very same misconfiguration of the S3 storage. It's an issue that will continue in pushing companies into an unwelcome spotlight.

Think of these buckets as file directories with a blatant label of PUBLIC allowing anyone to read, download, and at times even modify or delete data. This can be confusing when initially learning how S3 bucket policies and AWS IAM functionality works. For people with little experience, the ability to make a dreadful mistake becomes highly probable.

By default, S3 buckets are private. A person has to explicitly make it public for it to become that way. It can be the easy button for when someone is struggling with getting permissions to work. ACLs? IAM users, groups, and roles? Setting something to public will make everything flow smooth, and people may not realize that "public" means to the internet and not restricted to all the services within the AWS account.

Manually managing and tweaking access to buckets can result in punching holes to the outside world. Being aware of what's publicly accessible wasn't always very clear at a glance, with the console changing more each year.

Maybe it's tempting to invoke Nike and smack the keyboard while shouting, "JUST DO IT!"

There are legitimate cases where the user wants S3 public for read access, such as with static websites hosted in S3. Another example is an access point for downloads, such as PDF reports linked to for people to download. But outside of those examples? It is hard to find justification for public access.

Regardless of these standards, granting public access to an S3 bucket is done all the time. In 2013, a Rapid7 report mentioned finding almost 2,000 public S3 buckets. Imagine what that number is now, six years later! Some studies have shown that 7% to 10% of all S3 buckets (!!) are public, with ~20% of those public buckets even having write access. fn6

AWS has been working to change this.

What Can Be Done?

AWS has added bigger message banners in the console to try and grab an administrators attention. Last year, their news blog wrote about the new feature of Amazon S3 Block Public Access – Another Layer of Protection for Your Accounts and Buckets, mentioning the need:

"We want to make sure that you use public buckets and objects as needed, while giving you tools to make sure that you don't make them publicly accessible due to a simple mistake or misunderstanding." - Jeff Barr, AWS

S3NakedInPublic

S3NakedInPublic is a little landing page I created, one that has examples on visual steps that can be done manually within the AWS Management Console to check for (and secure) Public buckets. S3NakedInPublic also has simple code examples in PowerShell, Python, and bash (wrapped around the AWS CLI). They can be starting points, only taking 5 – 10 lines of code to get started on auditing.

PowerShell Example
# Requires AWSPowerShell.NetCore Module
# OR AWSPowerShell Module (if on Windows PowerShell)
# Install-Module AWSPowerShell.NetCore
# https://www.powershellgallery.com/packages/AWSPowerShell.NetCore

# Funky formatting to fit dev.to code display
foreach ($OhNoes in Get-S3Bucket) {
  if (($OhNoes | Get-S3ACL).Grants.Grantee |
    where {
      $_.URI -eq 'http://acs.amazonaws.com/groups/global/AllUsers'
    }
  ) {$OhNoes}
}

Checkout the repository for other examples. Also of note, the open-source Python script S3 Inspector may be able to help even further.

Outside of Simple Auditing, What Else?

Avoiding manual changes to infrastructure, by using tools like CloudFormation or Terraform, can ensure proper control and change history of an environment. There is still the problem of change being manually done after the fact and outside of configuration management frameworks, though CloudFormation had drift detection added last year: AWS Blog - New CloudFormation Drift Detection

It would be a good idea to take a look at tools such as:

Adding these to a security toolbelt, including implementation of AWS guidance like IAM Best Practices and the Well-Architected Framework can set an account up to better avoid these mishaps.

A Little Extra

There is also the open-source exploitation framework, Pacu, created by Rhino Security Labs. It's continuously growing with a roadmap that looks to include additional cloud providers. Rhino has also come out with CloudGoat, their "Vulnerable by Design" deployment tool for testing security tools against and really understanding the type of flaws you want to avoid in your AWS infrastructure.

Thoughts?

Have any suggestions for quick audits and wins when it comes best security practices on AWS? Or know of other, high-profile, common issues that keep coming to light? Post in the comments on dev.to!


Footnotes

  1. Gay dating app fined $240,000 for leaking nude and private photos. Reported by Catalin Cimpanu @ ZDNet, 2019˄

  2. Contractor's AWS S3 server leaks data from Fortune 100 companies. Reported by Catalin Cimpanu @ ZDNet, 2019˄

  3. Out of Pocket: How an ISP Exposed Administrative System Credentials. UpGuard, 2018˄

  4. Children's Voice Messages Leaked in CloudPets Database Breach. Reported by Mike Mimoso @ ThreatPost, 2017˄

  5. NSA leak exposes Red Disk, the Army's failed intelligence system. Reported by Zack Whittaker @ ZDNet, 2017˄

  6. New Study Shows 20% of Public AWS S3 Buckets are Writable. Reported by Ben Layer @ Tripwire, 2018˄