Time and again over the course of 2017, security researchers have discovered personally identifiable information sitting on publicly accessible Amazon S3 cloud storage instances.
The latest company to misconfigure cloud data storage is data analytics firm Alteryx, which exposed information on 123 million American households in a data leak reported by security firm UpGuard on Dec. 19.
“Exposed within the repository are massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the US Census Bureau, providing data sets from both Experian and the 2010 US Census,” Dan O’Sullivan, cyber resilience analyst at UpGuard, wrote in a blog post. “While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data.”
The misconfigured Amazon S3 storage instance was discovered by UpGuard Director of Cyber Risk Research Chris Vickery, who reported the issue to Alteryx so that it could be fixed.
Vickery and his team at UpGuard have reported a number of similar instances of improperly configured Amazon S3 storage instances over the course of 2017. On July 12, UpGuard reported that information on 6 million Verizon customers was left exposed on a cloud server. On Oct. 10, the company disclosed that Accenture had left some data publicly available on S3.
More recently, on Nov. 17, UpGuard reported that it found publicly accessible S3 storage that included information from Department of Defense data collection activities conducted by CENTCOM. The archive included 1.8 billion posts of internet data from social media sites and web forums collected over an eight-year time period.
While every incident disclosed by UpGuard has its own nuanced root cause, the basic fault is the same, with some form of misconfigured permissions in a company’s use of Amazon S3 storage. In the Alteryx incident, the data wasn’t publicly accessible to anyone on the internet, but rather to anyone who was logged into AWS.
“While the default security setting for S3 buckets would allow only specifically authorized users to access the contents, this bucket was configured via permission settings to allow any AWS ‘Authenticated Users’ to download its stored data,” O’Sullivan wrote. “In practical terms, an AWS ‘authenticated user’ is any user that has an Amazon AWS account.”
How Organizations Can Secure Amazon S3 Buckets
Amazon Web Services has not sat idly by in 2017 as UpGuard and other firms have revealed S3 data leakage incidents. Using tools and services made available by AWS, S3 users can safely and securely store data in the cloud.
Among the tools that AWS now offers is the Macie machine learning service that was announced on Aug. 14. With Macie, an organization can scan its S3 instances and identify if any personally identifiable information is present. The AWS Config service has also been improved in 2017 with new rules that enable organizations to block public read and writes to S3 storage instances. AWS Config provides policy and configuration settings for cloud services.
In addition, as of Nov. 8, it’s also easier than ever before to protect S3 data with encryption. S3 now includes a policy option that can make sure that all objects in a storage bucket are encrypted by default. Without encryption for an S3 storage bucket, if data is leaked, an attacker will have full access to all the unencrypted data. With encryption, even in the event of a data breach or leak, the data will not be immediately usable by an attacker.
No doubt, UpGuard and other security researchers will find other organizations that have left data exposed in Amazon S3 in the months ahead. That doesn’t mean the cloud is not secure. If organizations make use of the tools that Amazon provides, configure S3 storage for least privilege and make use of encryption, the day could soon come when cloud data leaks become a thing of the past.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.