Are you at risk from Amazon’s S3 bucket problem?
Storage Security

Are you at risk from Amazon’s S3 bucket problem?

Amazon Web Services is the undisputed king of Public Cloud. But, given recent headlines, it seems the company has a problem with the security of its storage offering.

AWS’s Simple Storage Service (S3) is the company’s object storage offering; put data in it, store it there, retrieve it when you need it. According to SimilarTech, nearly 400,000 websites use S3 storage services globally.

But a spate of headlines has seen major companies and government agencies misconfiguring their Amazon S3 repositories and exposing their sensitive data the world, leaving it open for anyone to access.


S3 has a problem

Though access policies for S3 buckets can be changed to suit your needs, selecting the wrong access controls, permissions, or authentication settings can inadvertently expose your data.

Misconfigured S3 buckets have seen organizations such as Verizon, Booz Allen Hamilton, the WWE Foundation, marketing firm Octoly, Alteryx, the National Credit Federation, the Australian Broadcasting Corporation (ABC), Accenture, and the NSA expose sensitive - and even classified - information online. As well as taking the data, resourceful hackers have begun ransomware-ing the data stored within these buckets, or even using the buckets to mine cryptocurrency.

According to Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, while 35% are unencrypted. That means there could be thousands, if not tens of thousands, of potentially exposed buckets out there at any given moment.

Technically this isn’t the fault of AWS; in default configurations, the bucket locks down access to just the account owner and root administrator. Obviously there are times when you want to make data open to everyone, and sometimes open only to a specific set of users, and Amazon has its own guidelines for properly securing its bBuckets, plus there is plenty of third-party advice on the subject. The issue, however, remains.

In theory, the likes of Microsoft’s Azure Blobs storage, Google Cloud Storage, and storage offerings from other Public Cloud vendors could suffer the same fate, but Amazon’s lead in the market means there are more buckets and more potential to be exposed.


Fixing leaky buckets

This isn’t a new problem. Researchers have been publishing warnings about leaky buckets for years. But it’s only in the last 18 months or so that there has been a steady stream of headlines about exposed data.

Part of the problem is that once a bucket is misconfigured, it can be very hard to find out until it’s too late. There is no shortage of homebrew tools designed to scan the web for exposed buckets, for both altruistic and malicious purposes. The BBC recently reported that security researchers are posting “friendly warnings” to users who have left their buckets exposed.

A new site called BuckHacker is looking to be the Shodan of S3 buckets and highlight if data is in danger. Though it can make finding your own exposed buckets easy, it also makes it easy for an attacker if they get there before you.

In an effort to be proactive on the issue, Amazon has been making efforts to fix the issue. Last year it tried to throw some Machine Learning at the problem with AWS Macie; a tool designed to automatically discover and protect sensitive data stored in AWS. In November, AWS announced a series of new features designed to improve S3 security including default Encryption, detailed inventory reports, permission checks, and more. In February of this year – and just a few days after FedEx was found to have exposed over 100,000 scanned documents  including passports and drivers licenses plus customer records including postal addresses - AWS made its S3 Bucket Permissions Check service free to all users.

If you are unsure if your buckets are secure, head over to the AWS site for a range of advice on the subject, including working with S3 buckets, setting policies, encryption, and monitoring.


IDG Connect contacted Amazon for this piece ahead of publication, but hasn’t received an official statement or comment. We will update if this changes.


Also read:
The most common causes of cloud data breaches
Microsoft Azure vs. Amazon AWS: Which is better?
Checklist: Tools to see into AWS infrastructure
Interview: Glenn Core, Chief Architect at AWS
Amazon Web Services: Doing for software what Gutenberg did for books?
Microsoft is done playing catch-up with AWS


«How micro should a microservice be?


Why Steve Jobs is the ‘reverse case study’ for IT leadership»
Dan Swinhoe

Dan is Senior Staff Writer at IDG Connect. Writes about all manner of tech from driverless cars, AI, and Green IT to Cloudy stuff, security, and IoT. Dislikes autoplay ads/videos and garbage written about 'milliennials'.  

  • twt
  • twt
  • Mail

Recommended for You


How a Washington crackdown on Huawei could backfire for everyone

Phil Muncaster reports on China and beyond


5G is over-hyped and expectations need reining in

Dan Swinhoe casts a critical eye on the future


What can we learn from tech initiatives in the Middle East?

Keri Allan looks at the latest trends and technologies

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?