As we continue to hear in the news about Amazon storage bucket breaches, Amazon continues to try and stem the reputational damage. I am not aware of any of those data spills being caused by bugs in Amazon software, but the reputation damage is still real.
Over the past year or so Amazon has made a number of changes:
- All newly created S3 buckets are by default private. This means that breaches of data from any S3 buckets created after the date of this change were caused by a user intentionally making the data public for some reason.
- Next, Amazon created a tool that allows admins to figure out what S3 objects were publicly visible (See this article for more details). After this change, any admin could, with a small amount of effort, see if any their S3 data was publicly exposed.
Even after these changes, there were breaches every month. To be really blunt, companies that were still leaking data just weren’t paying attention. There just is no reason why we continue to have data leaks, but we do.
In fairness, part of the problem is that it is so easy to create resources on Amazon and companies often do not have the right controls in place. People create storage repositories and forget about them or leave the company or change jobs. Now we have orphaned data. Sometimes publicly exposed.
Whether data is stored locally or in the cloud, proper IT governance is critical to protect company information.
Enter S3 Block Public Access. With this new feature admins can selectively or totally block all public access from a single console.
This tool will actually block public access to S3 data even a user accidentally tries to make it public. It should be totally effective if people use it correctly.
However, I predict that people will not use it, just like the tools that have already been deployed.
If this tool is used correctly, it will also protect those orphaned buckets,
What it will not protect against is unauthorized Amazon accounts that are not tied to the main corporate accounts.
Amazon is trying very hard to protect people’s information, but it requires people to do their part.
Information for this post came from Help Net Security.