It is very difficult today to find a security professional who hasn’t already had to deal with the challenges of creating a process or structure based on cloud technologies.
In Amazon S3, objects are stored in structures called buckets. The buckets are famous for their incredible versatility. However, inexperienced users can have trouble using and configuring them.
Usually, the contents of the S3 come with privacy settings adjusted such that they are classified as private. However, in many cases, certain content needs to be shared with other systems or people. Herein lies the problem. A professional’s knowledge or experience level with this type of solution greatly determines how well they will be able to configure it. Due to its complex nature, less experience can result in an incorrect configuration, which can put the data at risk.
Fragility of settings
During recent months, we have witnessed several cases in which fragile or incorrect configurations led to the exposure of a great deal of data, leading to numerous problems for users.
A data breach at VPNMentor was reported in February 2020, which may have exposed the private information of more than a thousand consulting firms in the United Kingdom (UK).
An AWS S3 flaw led to several actors’ and participants’ data in another video production company also in the United Kingdom being leaked. This reinforces the difference: the failure was not due to the service’s flaws. It was due to improper configuration and adequacy.
Analysts have been closely following with great concern the emergence of this leak, which may have gone on for quite some time without the owners of the S3 service being aware.
User error
Amazon S3 comes by default with access settings that make data private. So when third parties or external applications need access to data, the data must be publicly accessible.
You can configure the service in such a way as to deliver the information securely. Many professionals performing the configuration have difficulty understanding the functionality of the service or even how to perform it correctly, which involves a few steps.
There is no doubt that these mistakes are not made intentionally. Rather, we know that what we perceive as errors are actually errors resulting from a poor understanding of the service and its configurations.
There are a number of documents provided by Amazon that I strongly suggest you read and understand. These texts provide valuable information on the service and security measures.
Consequences
It’s easy to imagine how AWS S3 issues could have severe consequences for companies with access to this data.
In an era of multiple privacy laws being implemented, data leaks are a serious issue that can have huge financial repercussions for companies.
We can imagine the consequences if we put the owner of the data into focus instead of thinking only about companies since attackers can use this data to commit a number of scams. Leaks can cause large amounts of data to be lost, and this number is hard to measure because it depends on so many factors. For instance, the amount of data leaked, the type of data leaked, the interests of the attacker, etc.
It is certain that there will be an enormous impact on the owner of the data if there is a leak, so companies will also undergo significant consequences as they are subject to the penalties and responsibilities that may fall to them under the current legislation.
Remedies
To start with, I must point out that some problems identified so far within Amazon’s S3 service aren’t related to the service’s fragility but rather to a lack of knowledge or wrong settings made by users. Nevertheless, to avoid future difficulties, you must follow some precautions.
As mentioned above, the material surrounding the security of Amazon’s S3 service is detailed and available for free, so anybody using it can protect themselves. In addition, three basic actions can be taken:
- When setting up AWS S3, make sure the status is set to “private”, and that authentication protocols are added if necessary.
- Keep all access and authentication settings in line with Amazon’s guidelines.
- To ensure that your content is protected, always add more levels of security to AWS S3.
A list like this can only serve as a reminder of what can be implemented and what cannot be taken as a complete AWS S3 secure configuration procedure. Amazon’s documentation is always the best source of more details.
The existence of so many data leaks should not cause you to lose faith in AWS S3. There is no need to remove AWS S3 as a service, and there is no need to look for other options. These data leaks only illustrate the importance of correct usage and configuration.
