Network Security, Security Strategy, Plan, Budget

Amazon takes steps to reduce S3 misconfiguration leaks


Amazon is taking action to combat the recent wave of its Amazon S3 server being left misconfigured subsequently exposing potentially sensitive data.

The company announced the addition of five new encryption and security features including default encryption, permission checks, cross-region replication ACL Overwrite, Cross-Region Replication with KMS and Detailed Inventory Reports.

“All of these features are available now and you can start using them today!” Jeff Barr is Chief Evangelist for Amazon Web Services said in a Nov. 6 press release. “There is no charge for the features, but you will be charged the usual rates for calls to KMS, S3 storage, S3 requests, and inter-region data transfer.”

The new features mean that users can now mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted and the S3 Console now displays a prominent indicator next to each S3 bucket that is publicly accessible.

Despite the improvements, researchers warn that system administrators will still need to do their part to ensure the servers are secure. The new S3 security features will add to the wealth of documentation provided by AWS meaning cloud administrators will now need to navigate through more AWS documentation to understand and properly configure the new S3 safeguards, said TDI's Senior Security Engineer, Jesse Dean.

“This could be seen as a step in the right direction to some, or a public relations stunt to others,” Dean said. “On one hand, anything that can increase visibility and ease of configuration goes a long way, but it's far from a silver bullet.”

Dean also criticized the “Default Encryption” feature calling it misleading since it is not actually enabled by default and requires an administrator to enable the feature. In order to properly secure the servers,

Dean said companies need a knowledgeable workforce trained in securing the servers, an agile yet robust governance structure that is communicated from the top down and practiced across all levels of the organizations, and proper monitoring equipment.

Experts agree, Bob Noel, Director of Strategic Relationships and Marketing for Plixer said ultimately, the responsibility for securing data in an Amazon S3 environment falls on the organization to whom the data belongs.

“These efforts from Amazon will not eliminate all S3 data exposures, but they should go a long way in reducing them,” Noel said.  “Each organization that sends data to AWS will need to be paying attention to the dashboards and setting up data encryption rules.”

In addition, Noel said Amazon should consider expanding their passive display in a dashboard approach of notification, with a proactive effort to notify administrators in an out of band manner such as text or email.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.