Exposed: Private Amazon S3 bucket exposure

The thousands of cloud data storage service breaches publicized in the news have raised awareness of vulnerabilities caused through misconfigured “public” access, but cloud security breach tactics go far beyond this.

Did you know that even S3 buckets with “private” mode enabled are still vulnerable to attack? They are, and the identity and access management (IAM) roles and permissions you assign to AWS EC2 instances are the weak link.

Recent high-profile attacks targeting “private” Amazon S3 buckets are said to have exposed 140,000 Social Security numbers and 80,000 bank account numbers, exploiting over-privileged IAM roles and instance permissions through a flaw in the web application firewall (WAF). These attacks retrieve IAM credentials via an SSRF vulnerability to access data and files in “private” mode.

The risk of over-privileged IAM roles

Those IAM roles assigned to each AWS EC2 instance will have permissions to perform certain tasks and access certain services. Under normal circumstances, that role is only used on the specific EC2 instance.

However, in these breaches, an attacker steals the credentials using methods such as exploiting a flaw in the WAF to retrieve IAM credentials via an SSRF vulnerability.

The attacker then uses that compromised IAM role from a different EC2 instance to access resources, such as S3 buckets. This allows the attacker to list and sync the valuable contents to local disk and access all the data that was supposed to be “private.”

Prevention is better than a cure

Sophos Cloud Optix makes it simple for organizations to identify over-privileged and IAM roles and compromised EC2 credential attacks.

Users and services that are assigned too many permissions are easily pinpointed, allowing you to assess your IAM role security posture before an attacker does.

When stolen credentials are used, you need to act fast. In this case, Cloud Optix detects and alerts you to the use of temporary IAM role credentials that are assigned to a specific EC2 instance, which are used from a different resource.

Ensure “private” means “private” by following these simple steps from Cloud Optix and avoid the attacker techniques used here in recent high-profile attacks.

Latest Posts