Just when we thought that the incidents involving S3 bucket leaks were slowing down.The Washington Post reports that Facebook exposed the data from over 540 million users in publicly accessible AWS S3 buckets. We are about a year past the Cambridge Analytica debacle and with this latest security issue, the question is-can Facebook actually protect its user’s privacy?
According to The Washington Post, the security firm UpGuard discovered the trove of data exposed from not one, but two different Facebook apps. Cultura Colectiva, a media company based in Mexico City, was the first app discovered with an open AWS S3 bucket exposing 540 million records on Facebook users, totaling 146GB of data that included everything from comments and likes, to account names and Facebook IDs. The second misconfiguration comes from Facebook-integrated app At the Pool, which published plain text data on 22,000 Facebook users to a public Amazon S3 bucket.
Notable 2018 AWS S3 Bucket Leaks:.
- Fed Ex
- National Credit Federation
- Australian Broadcasting Corporation
- Dow Jones
- Deep Root Analytics
How did these S3 Buckets get exposed?
Check out what we wrote last year, when PocketiNet misconfigured an S3 bucket exposing 73 gigabytes of operational data. It remains applicable today: “We don’t know for sure, but often times the S3 Bucket configuration is incorrect. The created container permissions may have been too broad which allows anyone to access the data (as may be the case with the Facebook apps). Again, Cultura Colectiva’s S3 Buckets may have been serviced by people who aren’t familiar with security, thus the developer who created the container was unaware of how to properly secure it, or it was something as simple as an oversight. For example, in Cultura Colectiva’s case, they may have had a developer who was troubleshooting an issue that was causing an application to fail and suspected the S3 Bucket access was to blame. The developer may have tweaked the S3 configuration leaving it open to the public, and as the application began working again, moved on to another project. Now they have an exposed S3 Bucket. It may not have even been the developer’s fault as someone else may have altered the bucket’s configurations at a later date for any number of reasons. The point is, so many organizations are made vulnerable because a lot of them don’t have processes that prevent insecure software deployments.
How do organizations avoid S3 bucket leaks?
For starters, the Facebook app makers could have done nothing. Amazon S3 buckets are private by default and can only be accessed by users that have been explicitly given access. Again, by default, the account owner and the resource creator are the only ones who have access to an S3 bucket and key, so someone has to deliberately misconfigure an S3 to expose the data.
Amazon has been actively working to help companies avoid breaches caused by misconfiguration. In November 2017 AWS added number of new Amazon S3 features to augment data protection and simplify compliance. For example, they made it easier to ensure encryption of all new objects and to monitor and report on their encryption status. They have also provided guidance on approaches to combat this issue, like the use of AWS Config to monitor for and respond to S3 buckets allowing public access.
As a most basic first step to avoiding S3 bucket leaks, take advantage of the native AWS capabilities. Ensure that you are always purposefully using AWS S3 access policies to define who can access the objects stored within. Ensure your team is well trained to never open access to the public, unless absolutely necessary, as doing so can result in the exposure of PII and other sensitive data. And help prevent unauthorized access to your data by taking advantage of capabilities like AWS Config.
The challenge is that many organizations struggle to adopt and enforce best practices consistently, and only 100% consistency can ensure protection against a breach. This is why an investment in cloud operations is a vital additional step.
Invest in Cloud Operations:
Cloud operations, or CloudOps, is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools. One vital tool in your CloudOps toolkit should be software like DivvyCloud, that monitors and remediates cloud misconfigurations, allowing you to achieve continuous security and compliance at scale.
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.