Slashdot Mirror

← Back to Stories (view on slashdot.org)

AWS Rolls Out New Security Feature To Prevent Accidental S3 Data Leaks (zdnet.com)

Posted by msmash on from the interesting-moves dept.

Amazon's Web Services division rolled out new security features to AWS account owners last week that are meant to prevent accidental data exposures caused by the misconfiguration of S3 data storage buckets. From a report: Starting today, AWS account owners will have access to four new options inside their S3 dashboards under the "Public access settings for this account" section. These four new options allow the account owner to set a default access setting for all of an account's S3 buckets. These new account-level settings will override any existing or newly created bucket-level ACLs (access control lists) and policies. Account owners will have the ability to apply these new settings for S3 buckets that will be created from now onwards, to apply the new setting retroactively, or both.

32 comments

  1. S3? by jfdavis668 · · Score: 3, Funny

    I didn't know my video card could leak. I'll have to open it up and check.

    1. Re:S3? by Anonymous Coward · · Score: 0

      I've certainly had caps vent on an s3 trio after like 15 years of service.

  2. This is a much needed thing... even I can do it. by ctilsie242 · · Score: 3, Funny

    This is an absolute no brainer, and IMHO, a must have. Log onto AWS, go to S3, check four checkboxes, type in "confirm", hit OK, and not worry about public buckets again, unless someone explicitly logs in as a root/admin user and unchecks them.

    Hopefully more AWS customers do this.

  3. That is the "moron" option, apparently by gweihir · · Score: 1

    And, very apparently, it is needed. That somebody that already fails to get access permissions for an S3 bucket set right (which is not hard to do) will obviously screw up a lot of other things as well is pretty much a given.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re: That is the "moron" option, apparently by Anonymous Coward · · Score: 0

      Proactive? Yes. Noninvasive? Yes. Intuitive? Yes. Efficient? Yes. Amazing? Who knows

    2. Re:That is the "moron" option, apparently by ctilsie242 · · Score: 2

      In my experience, and I had a time where I bounced among a number of companies, the person with AWS access often times has no clue what they are doing, is likely using the root account itself, rather than a sub account with admin privs, and just needs things to work so the dev team can get their code going. Their goal is to get stuff up and running, even if it means ignoring security issues, since the SCRUM master and their boss is going to call them out on missed deliverables on a daily basis, but security guidelines missed and S3 buckets left public won't be something that the developer would be facing direct consequences for their actions.

    3. Re:That is the "moron" option, apparently by gweihir · · Score: 1

      In other words, the usual perverted incentives and dysfunctional teams....

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. Jesus christ by Njovich · · Score: 1

    For the love of god, just make sure read rights don't include file listing rights, and the public can never be given file listing rights. This solves 99.9999% of S3 data leaks. No sane web server gives public file listing rights these days for a reason.

    1. Re:Jesus christ by mysidia · · Score: 1

      Because S3 is not a website; It is a storage service --- and some organizations have some repositories or datasets which they wish to use S3 to make public - possibly using a Requestor Pays bucket, OR selling access to a S3-based product through DevPay. Either way, you need to be able to provide other people from the public access to the storage bucket.

    2. Re:Jesus christ by Njovich · · Score: 3, Informative

      I didn't say disable access, I said disable public file listings. I think people that want to sell access can manage to make a listing of the files they want to make accessible. Or make it a very hard to enable option or something like that.

  5. How is this a thing? by Anonymous Coward · · Score: 0

    There is a giant PUBLIC label on each of your public buckets when you view your list of buckets on the web. How do people get confused about this?

  6. Sounds Great! by Anonymous Coward · · Score: 0

    Uh, what? can you try that in English?

    ZIP

  7. Default Deny should be by design by Anonymous Coward · · Score: 0

    Why wasn't this a thing and turned on by default by design?
    Default deny is a normal expected security design.

    1. Re:Default Deny should be by design by ctilsie242 · · Score: 1

      It is default deny. In the past, you were presented with the option of making it private or public on bucket creation. Now, it defaults to private. I think people got confused, set it to public, assuming that was what was needed to give other members of their AWS account access.

      I wouldn't say this is Amazon's fault. It would be like a mini storage company selling padlocks with every unit, offering the units with the padlocks in place on them. Then, users unlocking the padlocks, and leaving the garage door thrown open for anyone to walk up and pick through.

  8. Re:This is a much needed thing... even I can do it by Anonymous Coward · · Score: 1

    So what happens when your app completely fails because the developers never built in authentication, and just relied on it being public?

    These sort of system miss-configs are rarely as simple as logging in, and spending 5 minutes changing the config. It's possible the buckets were made public and don't need to be and this would work without a problem. The more likely scenario is that somewhere, some piece (or all of it) isn't authenticating, and is relying on the buckets to be public. Finding that piece is often non-trivial, and likely involves a full regression test.

  9. what about adding all users (in your account / g) by Joe_Dragon · · Score: 1

    what about adding all users (in your account / group) and make the other all users read ALL AWS users (PUBLIC)

  10. Re:This is a much needed thing... even I can do it by Anonymous Coward · · Score: 0

    What happens is, you are an asshole for letting your developers never building in authentication and making something sensitive public.

    Assholes like you are why these leaks happen in the first place, asshole.

  11. What is Winter Sunlight? by Anonymous Coward · · Score: 0

    For this reason, God sends them a powerful delusion(operation of wandering)(planet) so that they will believe the lie.
    Working of Error

  12. It helps our customers. Maybe from testing by raymorris · · Score: 1

    I wonder how many of these are left over from testing. I developer is having trouble getting something to work, so they *temporarily* open up the SG to test it, removing one variable. After they get it working they forget to secure it again.

    Anyway, our AWS security service (Alert Logic) checks for this and I know we catch public buckets fairly often.

    1. Re:It helps our customers. Maybe from testing by Anonymous Coward · · Score: 0


      I wonder how many of these are left over from testing. I developer is having trouble getting something to work, so they *temporarily* open up the SG to test it, removing one variable. After they get it working they forget to secure it again.

      Likely a lot. Another scenario is this is "by design". Some developer thinks "nobody will ever guess our naming scheme!" I'm not familiar enough with S3 to know if you can simply list all the various namespaces and files in a namespace, but even if you can't, it's normally a terrible idea to rely on this form of security through obscurity. Filenames and directory names aren't normally considered to be "secrets", especially since you can't easily change them if they're discovered.

    2. Re:It helps our customers. Maybe from testing by phantomfive · · Score: 1

      In the past it was a lot easier to accidentally get the settings wrong. I expect it will be less and less of a problem as things move forward and the default settings become more secure.

      --
      "First they came for the slanderers and i said nothing."
  13. Re: U say it impersonating me... apk by Anonymous Coward · · Score: 0

    Who the heck is she? We all know you never speak to women.

  14. IMPERSONATING ME AGAIN? apk by Anonymous Coward · · Score: 0

    gweihir KNOWS you IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... forgetting to SUBMIT BY AC & f'd up using his registered 'lusrname' instead (just because he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).

    YOU EVEN HELPED ME https://science.slashdot.org/c... (& you quit trying to make me look bad by trying to "tell lies" on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... & regarding Intel speculative execution attacks? Guess what?? Hosts DO PREVENT THEM)

    APK

    P.S.=> LMAO - I totally KNOW that 3rd/2nd to last link above's KILLING YOU that YOU ACTUALLY HELPED ME getting me to see if hosts stop more than portsmash (& Meltdown + Spectre too) & "lo & behold" - hosts WORK by stopping you being INFESTED by what uses them on you - YOU LOSE (& YOU STOPPED TRYING THAT in your impersonations of me, lol) .... apk

  15. SHE's called "CyberianTiger"... apk by Anonymous Coward · · Score: 0

    See subject (literally the prog's name) & MUCH like me vs. "your kind"? She ANNIHILATES you "not men", lol!

    E.g. 'case in point' PROOF https://tech.slashdot.org/comm... especially vs. ZIP the BLOWHARD fool https://linux.slashdot.org/com... w/ nothing REAL or APPLICABLE out there he can demonstrate.

    * That is what KILLS you LAZY do-NOTHING "ne'er-do-wells" vs. me IN THE EYES OF OTHERS per proof https://science.slashdot.org/c... & you KNOW it, PAPERTigers... lol!

    Like I said to ZIP quoting Woody Harrelson? "I've husted a HELL of a lot better players than you Sidney"

    (& like the REAL tiger? It appears MY KIND producing tools of value + actual REAL WORLD RESULTS is a DYING BREED being replaced by ZEROS!)

    APK

    P.S.=> ... & THAT's YOUR FAULT that YOU're a "CRYberian" (lol) PUSSY (no WAY punks like you = tigers), not mine... apk

  16. Re:This is a much needed thing... even I can do it by Anonymous Coward · · Score: 0

    If the app completely halts, then the developers will be more than happy to talk to the corporate compliance officer when I mention that what they did would cause the entire company to fail an audit, if they haven't already. Stuff like losing a Visa merchant account is stuff that even the most pointy-headed realizes will hurt them.

    I worked at a place that devs did something very similar. They whined when I forced them to use better passwords, and I took away the AWS root user from them, forcing them to their own admin users. However, I always let them know that they can always talk to the compliance officer, as I'm sure everyone there preferred to keep their job with a little bit of work, as opposed to the company being shut down for PCI-DSS violations.

  17. Thanks in a way & why, lol... apk by Anonymous Coward · · Score: 0

    In your IMPERSONATIONS of me (like u do now) saying what you thought "makes me look bad" e.g. https://tech.slashdot.org/comm... (like now)? You did me a favor & got me to look @ these closely:

    1st - Hosts stop portsmash (blocking downloads of it) "You basically have to already be able to run your own evil code on a machine in order to PortSmash it." from https://www.theregister.co.uk/...

    2nd hosts MAY prevent the OTHER forms of Intel CPU weakness per ACADEMIC RESEARCH I read:

    SPECTRE "As an attempted mitigation for our JavaScript-based attack" https://spectreattack.com/spec...

    MELTDOWN "We presented Meltdown, a novel software-based attack" https://meltdownattack.com/mel...

    So like portsmash?

    Academics NEEDED LOCAL CODE (like portsmash hosts can prevent) so hosts ALSO work vs. Spectre/Meltdown!

    APK

    P.S.=> 3rd strike "yer out" - U FAIL PORTFILTERING TESTS https://yro.slashdot.org/comme... (IF hosts could DO it I'd implement it in my work & I STOP THAT ERROR) ... apk

  18. U say it impersonating me... apk by Anonymous Coward · · Score: 0

    No version of my ware does "hosts portfilters" & never has - u IMPERSONATING me says it (everyone knows you do https://apple.slashdot.org/com... & THERE's NO "VERSION 3" out there (not for Linux/BSD or Windows).

    * Look - I know you're NOT too intelligent & all but, please - give up already, lol!

    (You FOOLS that STALK/harass/IMPERSONATE me expended 100's of useless effete 'wannabe weapon' downmods for CENSORSHIP on me the past 3 weeks now & for what? TO LOSE - why?? Ok - you're LITERALLY fighting a 95++% accurate AUTOMATED SYSTEM of mine (yes, done in FreePascal using regions code to determine a LIMITED SET of captchas on /. & when it errs it records the ones it has & adds them to its tables) POWERED by an Intel 4790k CPU! I beat ALL of your downmods (95% for sure @ least).

    CLUE: YOU CAN'T WIN! Especially "putting words in my mouth" I don't say.

    APK

    P.S.=> In fact, it's SO GOOD, I am SURE I can LITERALLY take on 1,000 of you doing it & overnight while I sleep she works RESUBMITTING what I tell it to on posts I do - IF they change by even 1 byte (score)? She resubmits & SHE WORKS GREAT (like all I do in code), lol - & YOU LOSE as always... apk