A major Security event involving a breach caused by user error occurred recently in AWS. Website thehill.com reports that “25 terabytes of files contained in an Amazon cloud account that could be browsed without logging in” These files were RNC owned and had voter data.
Being that the article read “25 TB of Files“, it’s not too far of a stretch to say these were files[objects] stored in an S3 Bucket, or (buckets). Here is the crazy thing, from an AWS Security perspective, literally one click could have protected all the files. [ Simply un-checking “read” from the everyone group ]. Take a look at the screen shot down the page a bit to see exactly what I mean.
In this instance, the contractor managing the RNC Voter Data Files strayed away from the default S3 bucket configuration, which is:
” By default, all Amazon S3 resources—buckets, objects, and related subresources (for example,
lifecycle configuration and
website configuration)—are private: only the resource owner, an AWS account that created it, can access the resource. The resource owner can optionally grant access permissions to others by writing an access policy.”
One can only guess that the Contractor in-charge of these files was trying to give access to a small group of people that did not have AWS accounts and simply checked the Read for Everyone on the Entire Bucket.
Even if this was the practice, the fact that the Read for Everyone was left checked over time is simply . .mind boggling.
There are so many way this could have been prevented. Bucket Policies come to mind as well; where among many of the custom security access policies you can create; access controls can be applied to lock down a bucket for anonymous users, (users without AWS accounts), by specifying referring website or their source IP if extended read access is needed.
Amazon make it easy to secure S3 buckets, first, by the Default Policy, second, by literally having a place where you can click one box. Simply no excuse for this breach!
[update: The original find is here on upgaurd.com and confirmed my suspicion below, that the files were indeed stored in an S3 bucket! ]