During the conversation with the administrators about exposed AWS S3 buckets or traditional Directory Listing, the feedback often received is: “since the listed objects or files do not contain any sensitive information, the configuration of the buckets (or directories) is fine even if they are exposed.” This can be argued on multiple fronts. Consider the following points:
- Any information disclosure via Directory Listing or AWS S3 Bucket Exposure could be used in different set of attacks.
- From configuration standpoint, the enterprises or organizations do not need an explicit listing of objects or resources. A direct link to the file that is explicitly shared via different outlets should suffice. The idea is to only make specific files public and not the complete directory.
- Attackers still get access to the files via listing which they are not suppose to.
Security should not designed or implemented as per the choice, it is the necessity. Organizations need to be very strict about the policies related to the AWS S3 Buckets used for storage purposes
Avaya : Case Study
One of the AWS S3 Bucket of Avaya (https://www.avaya.com/en/) was found to be exposed on the Internet as shown below:
The issue was responsibly disclosed to the Avaya so that the configuration can be changed. The team highlighted that the directory did not contain any confidential information and they are still investigating. Until this point, the AWS S3 buckets are still exposed.
Generally, this should be taken care ASAP irrespective whether the files contain confidential or sensitive information or not, the associated bucket should not be exposed. In any case, the listing of objects/resources reveal unnecessary information.
We are disclosing this information for educational purposes only.
Refer — “http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html” Amazon S3 is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.
Refer “https://cwe.mitre.org/data/definitions/548.html “A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.
Editing AWS S3 Buckets Access
A number of serious data exposure incidents related to AWS S3 Bucket Exposures are highlighted below:
- A misconfiguration resulted in leakage of close to 1.4 million private records containing customers’ medical data found exposed to the public via AWS S3 buckets
- Highly classified defense data related to US military and National Geospatial-Intelligence Agency (NGA) was exposed via AWS S3 buckets
- 200 million US voters data was exposed to the Internet via AWS S3 buckets and this data could have been utilized by attackers for nefarious purposes
- 2.2 million entries specific to compliance and risk database specific found leaked via AWS S3 buckets