reports that 46% of 40,000 AWS S3 buckets analyzed by cloud security firm Lightspin had potential misconfigurations and were thus vulnerable to attack, reflecting a trend among businesses of improperly configuring their cloud storage permissions and leaving sensitive data open to compromise. Such misconfigurations have been blamed for a number of cybersecurity incidents, including the 2017 breaches that targeted Verizon and Booz Allen Hamilton.
Lightspin said the issue could be partially attributed to potentially confusing definitions provided by vendors for some access options, such as the “Objects can be public” option in AWS, which could leave businesses unsure as to whether the objects are secure. In addition, AWS evaluates access permissions of every file at the bucket level instead of the object level, causing the object’s Access Control List to not be considered, according to Lightspin. The report showed that 40% of S3 buckets they assessed have been attached with the “Objects can be public” definition while 4% are defined as public.