The RedLock security research team discovered a common misconfiguration in Amazon Relational Database Service (RDS) and Amazon Elastic Block Store (EBS) where snapshots have inadvertently been granted “public” access. This potentially exposes sensitive enterprise data to unauthorized users. To assess the impact of the misconfiguration, the team searched for publicly exposed Amazon RDS and EBS snapshots.
The search efforts resulted in the discovery of several thousand data volumes belonging to large financial, healthcare, telecommunication and technology companies. The databases contained sensitive information such as Protected Health Information (PHI) and Personally Identifiable Information (PII). Examples of our findings:
To be clear, this issue is not due to a vulnerability in the Amazon Web Services (AWS) platform, but rather with how the organizations have configured their environment.
Any user with valid AWS credentials can easily find and access unencrypted data volumes that have been publicly shared and subsequently gain access to all the information stored within these backups. Customers are advised to immediately assess their infrastructure for this vulnerability and take appropriate actions to fix the configuration error.
AWS RDS makes it easy to set up, operate, and scale a relational database such as PostgreSQL, MySQL, Oracle, or Microsoft SQL Server in the cloud. Using the Amazon RDS console, a user can share a manual DB snapshot or DB cluster snapshot with up to 20 AWS accounts, or publicly with anyone (refer to Figure 1 below).
Figure 1: Share RDS snapshots publicly using the RDS console
There can be a couple of different reasons that developers setup broad sharing permissions:
Figure 2: Over 86 publicly shared RDS snapshots
An unauthorized AWS user can easily find these snapshots and restore them to their own RDS instance within their account. Next, they simply reset the password for the database to gain access to highly confidential enterprise data.
An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance. A user can share an unencrypted snapshots with co-workers or any AWS user by modifying the permissions of the snapshot (refer to Figure 3 below).
Figure 3: Share ELB snapshots publicly using the EC2 console
Many developers believe that this access permission will only allow internal users within their organization to access these snapshots. This is a common misconception as this permission grants ANY user with valid AWS credentials access to the snapshot as illustrated in Figure 4 below.
Figure 4: 7,400 publicly shared EBS snapshots can be found in the AWS Oregon region alone
Download a copy of the advisory here.
Advisory Issued: April 13, 2017