Sergey Nivens - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: Why are Amazon S3 buckets spilling on the web?

Listen to this podcast

In this week's Risk & Repeat podcast, SearchSecurity editors discuss the series of enterprise data leaks through misconfigured Amazon S3 buckets and what should be done about them.

More corporate data has been accidentally exposed through Amazon's Simple Storage Service in recent weeks, raising questions about enterprise security practices.

The most recent exposure of Amazon S3 buckets occurred with Dow Jones & Company Inc. when cybersecurity firm UpGuard Inc. discovered a public S3 bucket containing information for millions of Dow Jones customers, including names, addresses, email addresses and partial credit card numbers.

UpGuard researchers reported the bucket had permission settings that allowed any AWS account holder to download the data from the resource's URL; Dow Jones attributed the exposure to an "internal error."

The Dow Jones incident follows other high-profile discoveries by UpGuard of S3 buckets that were apparently misconfigured by major enterprises, such as Verizon and Booz Allen Hamilton. The lack of access control and permissions settings caused these data repositories to be publicly accessible on the web.

How did these misconfigurations happen? Should Amazon do more to help customers avoid these mistakes? Why are enterprise security policies failing to prevent data exposures in the cloud?

In this episode of the Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss how these S3 buckets are spilling data, what the consequences are and what should be done about it. They also provide an update on the ongoing controversy surrounding Symantec's certificate authority business.

Next Steps

Risk & Repeat: Kaspersky Lab removed from GSA schedule

Risk & Repeat: Machine learning poised to revolutionize identity and access control

Risk & Repeat: How NotPetya ransomware changes the threat landscape

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Who should bear responsibility for the Amazon S3 cloud leaks: the customers or Amazon? Why?
I think the responsibility falls on the customer/enterprise. Amazon provides the security settings to ensure that sensitive data remain secure. It's up to the customer/enterprise to properly configure and manage their files. 
As indicated on the podcast, I generally agree. I don't subscribe to the notion that Amazon's documentation/guidelines for AWS in general, and permissions/AIM specifically, are "too easy" to read, and that's somehow caused customers to misconfigure. I think the onus is on enterprises to 1) have experience people with the proper knowledge set up and manage their cloud resources, and 2) have corporate policies for access control that will prevent any change in settings to resources with crucial/sensitive data without the review and express approval of the infosec team. 
It is clearly the customers responsibility to properly harden the virtual server. This speaks of the governance behind the configuration. And, where was the QA prior to deployment into production? You do not shift all risk to the provider when moving to the cloud. I hope others learned from the mistakes.