Sonrai Security website logo for identity and data governance and cloud security

Misconfigured AWS S3 Bucket Leads To Data Breach

Author: Eric Kedrosky | Date: July 22, 2020
Read Time: 2 minutes
Skill Level: Technical
Skill Level: Technical
Cloud Security Data Breach Blog image from Sonrai Security including Amazon s3 bucket EC2

On July 19, 2020, a large PaaS announced attackers had accessed its misconfigured S3 bucket, and altered a copy of its development code it shared with customers. Attackers accessed a misconfigured AWS storage resource and found a portion of the development code that had been available on this unprotected S3 bucket since 2015. The updated code made the browser load an extra URL that had been linked to Magecart attacks. This was a clear case of an opportunist attack on a misconfigured AWS resource for financial gain. This attack seems to be related to a long running “Malvertising” campaign dating back to 2013.

Once aware of the attack, the company locked down the S3 bucket and updated a clear version of the library to the data path. A full scale audit was set in place in order to ensure other misconfigured AWS resources had been noticed. Thankfully no evidence of customer data was found to be accessed by the attackers. Many attackers are looking specifically for misconfigured AWS, Azure, or Google Cloud resources in the service supply chain companies to then infect all the companies that rely on them. 

It is important to ensure enterprise data management policies extend to S3 buckets. Too commonly S3 buckets are left unsecured and unencrypted, therefore vulnerable to attack. In situations with multiple cloud providers, it is business critical to review the access control for each specific provider.

Access control systems in the cloud are very powerful which lends them to being very complex. They are a common source for data breaches especially in the fast paced Dev world of deployments and upgrades. Introducing a separation of duties between Dev and Security can help effectively reduce risk. This is especially true when Dev teams are pushing out updates at an incredibly fast pace.  New releases and updates are a signal to attackers  looking for vulnerabilities so using a tool to help block code promotion when a vulnerability exists is important.

Human error is always a factor, which is why it is so important to continually educate and train employees, and work with the proper cloud security platform. Having visibility into access changes and configuration is crucial during cloud deployments.  Procuring a SIEM and utilizing it in conjunction with identity and data security tools can help set alerts on high risk activities.

Definitive Guide to Public Cloud Security Across AWS, Azure, and GCP

You Might Also Like

ElasticSearch Database Leads to Data Breach

A popular job recruitment database accidentally leaked 13 million records late last year. The data leaked contained[...]

Read More

Cloud Complexities Create Chaos

According to industry analyst, Forrester, the public cloud market is growing at an astonishing rate, appr[...]

Read More

Effective Permissions: Fact vs. Fiction

So your company is now operating in the cloud. It’s exciting, isn’t it?  So many tools at your disposal, s[...]

Read More