In the wake of several high-profile data leaks, Amazon Web Services warned customers Wednesday to re-examine S3 storage drives with policies allowing their contents to be shared with the world.
AWS sent emails to an undisclosed number of customers, pointing out to them the S3 buckets in their accounts that have no controls barring public access, and advising them to make sure those object storage drives shouldn't be secured. The warnings were first reported by TechTarget.
While certain data needs to be publicly accessible, vulnerabilities recently discovered that put in jeopardy the privacy of customers of Verizon, Dow Jones, WWE, as well as voters, have shined a massive spotlight on a growing problem.
An AWS spokesperson told CRN: "With some recent public disclosures by third parties of Amazon S3 bucket contents that customers inadvertently configured to allow public access, we wanted to be proactive about helping customers make sure they don’t have bucket access they didn’t intend."
David Klee, founder and chief architect at Heraflux Technologies, an AWS partner based in Scarborough, Maine, told CRN, "We cannot stress enough to our clients that open buckets are the worst possible security mechanism they can possibly leave exposed."
Klee said he hasn't heard from any Heraflux customers that have received email warnings.
Tolga Tarhan, founder and CTO of Sturdy Networks, an AWS partner based in Irvine, Calif., has seen Amazon's warning to avoid accidentally exposing data through misconfigured S3 buckets issued to some customers.
"Customers should work with experienced AWS partners to audit their S3 usage and ensure all best practices," Tarhan said. That includes more than just the access policies referenced in the AWS emails.
An S3 bucket is just a cloud drive set up in an AWS region for object storage. Each bucket has its own Access Control List (ACL) by which users administer policies.
One email from AWS posted on Twitter by Uranium238, a security penetration tester, described to the customer buckets with public access (the screen shot didn't reveal those URLs), and offered a reminder that by default those ACLs are not configured for "world access"—meaning open to all over the internet.