AWS rolls out new security feature to prevent accidental S3 data leaks

aws-account-privacy-settings.pngImage: AWS

Amazon’s Web Services division has rolled out new security features to AWS account owners today that are meant to prevent accidental data exposures caused by the misconfiguration of S3 data storage buckets.

More security news

Starting today, AWS account owners will have access to four new options inside their S3 dashboards under the “Public access settings for this account” section.

These four new options allow the account owner to set a default access setting for all of an account’s S3 buckets. These new account-level settings will override any existing or newly created bucket-level ACLs (access control lists) and policies.

Account owners will have the ability to apply these new settings for S3 buckets that will be created from now onwards, to apply the new setting retroactively, or both.

Jeff Barr, Chief Evangelist for Amazon Web Services, said the new settings are meant to work as a master switch that prevents account owners or their employees/developers from accidentally opening S3 buckets and their data to the public by coding or misconfiguration errors at the app/bucket level.

These types of accidents (of misconfiguring S3 buckets) have been a major problem for AWS customers for the past few years, and a serious black eye for AWS itself. Many cyber-security experts have considered that Amazon did not do enough to warn AWS users about the dangers of exposing an S3 bucket or providing controls to prevent this from happening.

Amazon did act, in November last year, when it began displaying bright orange warnings in the AWS dashboard, next to each S3 bucket that allowed public access.

aws-s3-warnings.png

aws-s3-warnings.png

Image: AWS

Today’s updates come to address most of the criticism that the company has faced recently, and this update will provide the much-needed settings to prevent misconfiguration from exposing buckets, and not just tell account owners after they’ve already happened.

Just to put things in perspective and show how problematic the issue of accidental S3 bucket exposures has been, below is a (very incomplete) list of data breaches and data leaks that have been caused by a company or app that ran a misconfigured S3 bucket that allowed anyone to view its content and not just the server owner.

According to research published last year, Skyhigh Networks (now part of McAfee) found that around seven percent of all AWS S3 buckets were publicly exposed.

In addition to the new AWS S3 public access settings, Amazon also announced major news for DynamoDB, a high-load database engine, also part of the AWS suite. Starting today, Amazon said all data stored inside DynamoDBs will be encrypted by default.

“You do not have to make any code or application modifications to encrypt your data,” Amazon said in a press release. “DynamoDB handles the encryption and decryption of your data transparently and continues to deliver the same single-digit millisecond latency that you have come to expect.”

Related coverage:

READ MORE HERE