Your IT Consultant
Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.
Leaking Buckets Don’t Hold Water
August 5, 2020
It's a pure fact of physics. Containers with holes won't hold water. The same analogy applies to misconfigured AWS S3 storage buckets. The Register reported that the team at Truffle Security used automated tools to discover around 4,000 open Amazon S3 buckets that companies would not want to be public on the internet. The open buckets contained sensitive confidential information such as security keys, API keys and even logon credentials. The team's results indicated that the exposed data was pretty common with "… around 2.5 passwords and access tokens per file analyzed per repository." The credentials included Mongo DB credentials, SQL server passwords, Coinbase API keys, and logins for other AWS buckets configured to prompt for a password.
The Truffle team stated, "It's probably fair to assume authenticated buckets contain more secrets than unauthenticated ones, due to the implied higher security bar authentication provides. This means attackers can likely use the first round of buckets to find keys that unlock an additional round of buckets and expose more keys, which could expose more buckets, etc." There have been many studies showing that most cloud data breaches are due to human error. Perhaps now is a good time to review the configurations for any cloud service you may be using.