Exposed AWS S3 Buckets == Directory Listing | Avaya Case Study

Overview

During the conversation with the administrators about exposed AWS S3 buckets or traditional Directory Listing, the feedback often received is: “since the listed objects or files do not contain any sensitive information, the configuration of the buckets (or directories) is fine even if they are exposed.” This can be argued on multiple fronts. Consider the following points:

  1. Any information disclosure via Directory Listing or AWS S3 Bucket Exposure could be used in different set of attacks.
  2. From configuration standpoint, the enterprises or organizations do not need an explicit listing of objects or resources. A direct link to the file that is explicitly shared via different outlets should suffice. The idea is to only make specific files public and not the complete directory.
  3. Attackers still get access to the files via listing which they are not suppose to.

Avaya : Case Study

One of the AWS S3 Bucket of Avaya (https://www.avaya.com/en/) was found to be exposed on the Internet as shown below:

The issue was responsibly disclosed to the Avaya so that the configuration can be changed. The team highlighted that the directory did not contain any confidential information and they are still investigating. Until this point, the AWS S3 buckets are still exposed.

Generally, this should be taken care ASAP irrespective whether the files contain confidential or sensitive information or not, the associated bucket should not be exposed. In any case, the listing of objects/resources reveal unnecessary information.

We are disclosing this information for educational purposes only.

Editing AWS S3 Buckets Access

Additional Reading:

A number of serious data exposure incidents related to AWS S3 Bucket Exposures are highlighted below: