Remediating Misconfigurations to Keep Your Cloud Out of the News An organization that is transitioning to a cloud provider such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) should immediately consider a shift towards a new model of...
2019 Data Breaches: On Track to Be the Worst Year Consumer privacy (or the lack thereof) is a huge societal concern and concerns about protecting privacy is manifesting itself through many forms, including regulation like the California Consumer Privacy Act and...
Feature Release 19.3: Secure S3 Buckets, Microsoft Teams, & Compliance Heat Map We are excited to announce our newest release of 2019 which continues our mission to help you effectively leverage CSP security and management tools like AWS’ “GET BucketPolicyStatus”...
Leaky AWS S3 Buckets Exposes Netflix, TD Bank, and Ford’s Data
ZDNet has reported that Attunity, a data management company recently acquired by business intelligence platform Qlink, exposed customer and company data when three AWS S3 buckets were left exposed to the internet without a password. One of these buckets contained a large collection of internal company documents. The total size is uncertain, but a security researcher from UpGuard downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups. In addition, backups of employees’ OneDrive accounts were also present and spanned the wide range of information that employees need to perform their jobs: email correspondence, system passwords, sales and marketing contact information, project specifications, and more.
The leak also exposed Attunity’s customers data, some of which include Fortune 100 companies such as Netflix, TD Bank, and Ford. UpGuard researchers found usernames and passwords for Netflix production database systems, TD Bank invoices for internal software employees were using, and various Ford internal project files. The leak also exposed Attunity’s internal systems credentials, which could have been the opening for a bigger security hack into Attunity’s network.
Resolving the issue had its complications, since Attunity was in the process of being acquired by Qlink. The researcher who discovered the leak ended up having to navigate unforeseen time zone issues before finally speaking on the phone with Qlink support. The leak was secured three days after initial discovery. Qlink has said they are still investigating the full extent of the exposed data.
How did these S3 Buckets get exposed?
In short, human error. Most likely, Attunity’s S3 Buckets may have been serviced by people who aren’t familiar with security thus, it was something as simple as an oversight. For example, in Attunity’s case, they may have had a developer who was troubleshooting an issue that was causing an application to fail and suspected the S3 Bucket access was to blame. The developer may have tweaked the S3 configuration and forgot to password protect it, leaving it open to the public, and as the application began working again, moved on to another project. Now they have an exposed S3 Bucket. It may not have even been the developer’s fault as someone else may have altered the bucket’s configurations at a later date for any number of reasons. The point is, so many organizations are made vulnerable because a lot of them don’t have processes that prevent insecure software deployments.”
Again, carelessness and plain human error when updating or tweaking S3 configurations can lead to massive data leaks.
How do organizations avoid S3 bucket leaks?
For starters, the Attunity developers could have done nothing. Amazon S3 buckets are private by default and can only be accessed by users that have been explicitly given access. Again, by default, the account owner and the resource creator are the only ones who have access to an S3 bucket and key, so someone has to deliberately misconfigure an S3 to expose the data.
As a basic first step to avoiding S3 bucket leaks, developers should take advantage of the native AWS capabilities. They should always be purposefully using AWS S3 access policies to define who can access the objects stored within. Teams need to be well trained to never open access to the public, unless absolutely necessary, as doing so can result in the exposure of PII and other sensitive data. Taking advantage of capabilities like AWS Config is also a good measure to take to prevent unauthorized access to data.
The challenge is that many organizations struggle to adopt and enforce best practices consistently, and only 100% consistency can ensure protection against a breach. This is why an investment in cloud operations is a vital additional step.
Invest in Cloud Operations: Cloud operations, or CloudOps, is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools. One vital tool in a company’s CloudOps toolkit should be software like DivvyCloud that monitors and remediates cloud misconfigurations. This kind of software allows companies to achieve continuous security and compliance at scale.
Watch DivvyCloud’s 60 second video to learn how we help customers like GE, 3M, Autodesk, Discovery, and Fannie Mae stay secure and compliant.
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.