In 2017, millions of users were affected by major data security breaches at companies using Amazon Web Services Simple Storage Service – the popular cloud storage and service platform better known as AWS S3.
AWS S3 User Errors
When high-profile issues happen on the Web, it’s common to look for outside culprits. However, the pattern has been different with Amazon S3. User error is the main driver behind the most significant security events. This comes in two forms:
The company making configuration changes that cause their S3 “bucket” to become publicly visible, thus exposing their bucket URL and making it easier for antagonists to gain access to their cloud resources.
Senior executives failed to understand the relationship between Amazon infrastructure and their security practices – e.g., believing their usage of Amazon Web Services externalizes responsibility for security.
Whatever the problem’s origins, Amazon S3 caused many serious data security crises in 2017. Global enterprises came up short in efforts to safely harness cloud services, suggesting a reappraisal of security practices is needed.
Examples of User Errors
Some examples include:
Verizon saw data for up to 16 million users leaked online. IT partner NICE Systems, an Israeli-based data security firm, failed to limit external access to a sensitive S3 server. As a result, criminals may have data enabling them to pose as Verizon customers when using phone support.
In an embarrassing blunder, Viacom misconfigured an S3 bucket containing a treasure trove of its most sensitive IT data. A set of 72 compressed files on an S3 server contained what appeared to be a backup for the company’s global IT operations, including passwords and encryption keys.
Time Warner Cable exposed 4 million subscriber records when a contractor failed to secure an Amazon cloud database. Seven years’ worth of data became publicly accessible, including addresses, contact phone numbers, and account information.
The repercussions are tremendous. Through no fault of their own, customers are at risk of identity theft for years to come after a cloud platform breach. This erodes confidence in the brands thus exposed, potentially losing millions in lost business.
How to Fix AWS S3 Risks and Reduce Leaks
Amazon S3 represents an opportunity to leverage world-class cloud architecture. However, enterprises must recognize that retaining Amazon as a cloud partner does not take care of their security requirements. Although Amazon proactively monitors its infrastructure and resolves systemic issues, security experts on the client side must guard against unintentional misuse of the service. There are a few things you can do:
Know Where Your Sensitive Data Is
Third-party tools can be used to enact data loss prevention across Infrastructure-as-a-Service platforms, including AWS S3. DLP policies can process automatically based on identifiers, keywords, and data fingerprints. S3 buckets containing sensitive data should be identified and buckets that have been configured for public access should be monitored.
Audit Your Security Configuration in AWS
Amazon Web Services includes a wide range of data security tools. Many third-party enterprises offer a security configuration dashboard that can consolidate and track the dozens of AWS security settings that can lead to unintentional public access. Security experts should audit the enterprise AWS posture on a regular basis to proactively remediate security holes.
Encrypt your data: AWS Guide on How to Encrypt Your Data
Monitor Your AWS S3 Buckets access: Activate Server Access Logging
AWS S3 is a powerful tool. Human error – rather than external antagonists – remains the biggest challenge in using it. By scrupulously employing a few simple best practices, you’ll significantly reduce the likelihood of data security problems.
How Sedara Can Help You
Sedara’s cybersecurity experts can teach you everything you need to know in order to stay compliant. Contact us today to get started.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.