Amazon S3 misconfiguration exposes businesses' data

Rapid7 finds 'public buckets' could be displaying sensitive data globally

Amazon's Simple Storage Service (S3) users may have misconfigured their accounts leading to the exposure of business data to the public, security solution provider Rapid7 has found.

Amazon S3 provides the ability to store and serve static content from Amazon's cloud services.

In a blogpost, Rapid7 explains that businesses use S3 to store server backups, company documents, web logs and publicly visible content such as website images and PDF files. Files within S3 are then organised into ‘buckets' - named logical containers accessible at a predictable URL. Specific controls can be applied to access the bucket, and the files and directories within the bucket.

The firm discovered 12,328 unique buckets, and of those buckets 1,951 were 'public buckets', meaning that nearly one in six buckets could be looked at by anyone that is interested.

As it was unrealistic to test all 126 billion files uncovered within these public buckets, Rapid7 took a random sample of 44,000 publicly visible files, and many of these contained sensitive data.

This data included: sales records and account information of a large car dealership, employee personal information and member lists across various spreadsheets, video game source code and development tools for a mobile gaming firm and 28,000 PHP source files, with some containing details such as database usernames, passwords and API keys.

The most common exposure was through log backups that were left globally accessible.

Rapid7 said that many large companies were represented in the list of publicly exposed buckets, and that many of the documents identified were clearly marked as confidential or obviously private in nature. In other instances, the exposed data included log files and service data that exposed sensitive details about the organisation and their customers.

Rapid7 has since worked with Amazon to disclose this misconfiguration. It recommends that organisations "check if they own one of the open buckets and if so, think about what they're keeping in that bucket and whether they really want it exposed to the internet and anyone curious to take a look".

Amazon Web Services (AWS) has also published a guide for S3 users in order to rectify the issue.

A spokesperson from AWS claimed that the problem did not lie with its service.

"This is not a vulnerability in Amazon S3. Amazon S3 provides authentication mechanisms to secure data stored in Amazon S3 against unauthorised access. Unless the customer specifies otherwise, only the AWS account owner can access data uploaded to Amazon S3," he said.