Researchers (most notably Chris Vickery) have discovered that a common misconfiguration in Amazon Simple Storage Service (Amazon S3) may expose sensitive enterprise data to unauthorized access. They were actively searching for Amazon S3 buckets which were granting access to “Any authenticated AWS users”. These efforts resulted in the exposure of several dozen databases belonging to large financial, healthcare, and technology companies.
Researchers are still actively looking for additional databases that may be exposed due to this common misconfiguration and it is only a matter of time before they find them. It is prudent for you to immediately assess your own infrastructure for this vulnerability.
Amazon S3 is a simple web service interface that allows organizations to easily store and retrieve data. It is used for backups, application hosting, file server, and media and software delivery. Given its ease of use, Amazon S3 has become an attractive option for organizations to store large amounts of data in it.
Access to Amazon S3 is managed through Access Control Lists (ACL) where customers specify which users are permitted access to the buckets. It is a good security practice to make sure that these ACLs only allow specific authorized internal users to have access to the data in the buckets. But often, Amazon Web Services (AWS) administrators grant access to “Any authenticated AWS users” (see the image below) thinking that this access permission will only allow internal users to access data in the Amazon S3 buckets. This is a common misconception as this permission grants Amazon S3 access to ANY user with valid AWS credentials and exposes sensitive enterprise data to unauthorized external access. With this access permission, a malicious user simply needs to figure out the name of the bucket and/or the files inside the bucket. Once they have this information, they can easily make API calls to the Amazon S3 bucket with their valid user credentials and gain access to highly sensitive enterprise data.
Download a copy of the advisory here.
Advisory Issued: April 5, 2017