Amazon S3 Buckets: How to Properly Configure Them, or Else!

It is no longer surprising to the public when another big data breach reaches the news. In 2017 alone, Gemalto, an international digital security company, detected 1,765 data breaches worldwide. That's almost 5 data breaches a day. Within those data breaches, hundreds of thousands of personal records are stolen from companies. According to Breach Level Index, approximately 4,806,308 records are stolen each day. The number one cause behind these data breaches? The lack of securely configured cloud environments among large companies. In most cases these happen to be Amazon S3 buckets.Octoly, a Paris-based brand marketing company, was one of the many companies that fell victim to a data breach in early 2018 – by the misconfiguration of an Amazon S3 bucket. The bucket revealed a backup of their enterprise IT operations and sensitive information about thousands of the firm's registered social media influencers. Theses influencers, in large part, had information stored from Instagram, Twitter, YouTube, and TwitchTV. The data of these influencers included real names, addresses, phone numbers, email addresses, and birth dates – many of whom are anonymous in their online ventures.Also exposed were thousands of hashed user passwords. If decrypted, password reuse attacks could be deployed against various online accounts belonging to the creators because usernames and emails were also included in the repository. The potential for secondary attacks is extremely high given the amount of data exposed in this breach. With information such as phone numbers and addresses of these influencers made publicly available, cyber-stalkers and cyber-bullies would be quick to use this information to their advantage to harass them.Octoly eventually secured their Amazon S3 bucket, however it was not a swift process, and sensitive information was still made publicly available for over three weeks after they were first notified.So why are these Amazon S3 buckets not configured properly by so many companies? By default, S3 buckets are already configured for private access, so you'd think it would be safe and sound. Unfortunately, network administrators often are too lax with user permissions to S3 buckets, allowing anyone with AWS credentials to access sensitive data.In an article by Mark Nunnikhoven, who is the VP of Cloud Research at Trend Micro, How to Secure An Amazon S3 Bucket, he stated "there are multiple avenues to grant permissions" and "multiple areas to make simple mistakes that might cause a leak..." Therefore, in many cases, if it is unnecessary for other users to access the data at your company, it might be in your best interest to simply do nothing. As mentioned above, by default the S3 bucket is securely configured and only the AWS account that created the resource can access it.At any rate, whether the bucket is only accessed by you, or multiple users have access, it's not a bad idea to add an extra layer of security, through the use of MFA (Multi-Factor Authentication). This requires two levels of identification. Rather than the simple username and password, another level of identification will be required, such as a security question or a pin number. To the user on a daily basis, it may come as an annoyance, but significantly decreases the probability of a hacker gaining access to your account. Better to be safe than sorry.All-in-all data breaches are still happening at an alarming rate and companies that hold large quantities of personal records should be held accountable to protect their customer's data. To ensure your Amazon S3 buckets are properly configured, make sure user permissions are limited to the proper personnel. In other words, the fewer the number of people with access, the more secure it is. Also, adding that extra layer of security by utilizing MFA goes a long way in thwarting hackers who possess stolen credentials. Therefore, by properly configuring your Amazon S3 bucket you can keep yourself a little more at ease.Questions on this topic? Contact info@cviewllc.com.