• United States



CSO Journalist

After Australia’s 50k PII cloud leak, AWS launches leaky S3 buckets labels and warnings

Nov 08, 20173 mins
Application SecurityBackup and RecoveryBusiness Continuity

Public labels aim to help admins see which buckets are publicly accessible

Amazon Web Services (AWS)has rolled out an update to the AWS S3 Console that offers prominent labels showing which S3 buckets are publicly accessible.

The new feature comes on the heels of a massive leak due to misconfigured S3 bucket that exposed personally identifiable information (PII) and financial information on nearly50,000 Australian government and private sector staff.

The leak was due to an unnamed contractor incorrectly setting an S3 bucket as public. A breach would be worse if there are also no access controls placed on the files within public buckets.

AWS announced the new “permissions checks” labels on Monday. The S3 Console now displays a yellow “Public” label next to each S3 bucket name if it is publicly accessible. A summary at the top of the page displays how many of the total number of buckets are “public”.

This should make it more difficult for admins to accidentally leave a bucket public.

The “Public” indicator is also displayed beneath the permissions tab when looking inside a single bucket. The interface tells users whether it’s the Access Control List (ACL), the Bucket Policy or both causing a bucket to be publicly available. It also contains a general warning that AWS recommends admins never grant any kind of public access to an S3 bucket.

Ensuring that S3 buckets with sensitive information is walled off from the public is a long known challenge for AWS admins. Rapid7 in 2013 discovered 1,951 of identified 12,328 S3 buckets were left open, providing public access to 126 billion files, including personal photos, sales records, staff information and more.

As in July, AWS had notified several customers by email that their S3 bucket ACLs were configure to allow public access. that warning followed the discovery of accessible S3 buckets containing data on millions of Dow Jones customers and millions of Verizon customers.

Researcher Chris Vickery also recently discovered leaky S3 buckets containing data about Accenture’s Cloud Platform and customers using it.

AWS has recently updated its advice for S3 bucket public access, which explains the implications of different ACL policies and a description of the difference between”READ” and “WRITE”access on public S3 buckets. READ access can reveal object names without necessarily revealing their contents, while WRITE access could allow anyone to modify or delete objects and use a customer’s AWS resources.

AWS also rolled out a new control that enables admins to mandate that all objects in a bucket are encrypted by default.

CSO Journalist

Liam Tung is a seasoned tech reporter who's been covering cybersecurity, privacy, business, and legal issues that shape the tech industry in the US, Europe and Australia. Over the past decade, his work has frequently been distributed on influential tech news aggregator sites including Techmeme, Reddit, and Hacker News, the news-sharing site run by Silicon Valley accelerator, Y Combinator. Liam has worked with IDG Australia's since 2011 and today remains one of its key contributors, offering news and insights into the latest ransomware threats from cybercriminals and government surveillance, as well as new initiatives from government cybersecurity agencies and global tech giants, including Google, Microsoft, Amazon, Facebook, Oracle and the many companies and organizations that specialize in cybersecurity. He's always on the lookout for the latest information about vulnerabilities and cyberattacks that could compromise the integrity of your data.

More from this author