Amazon is finally offering a simple way for its cloud services customers to lock down data stored at its Simple Storage Service (S3) with one fell swoop. This change should help companies in the Fortune 500 and mom-and-pops down the street avoid embarrassing breaches of data.
Customers of Amazon Web Services (AWS) routinely leave private files available for public consumption. That’s led to routine, sometimes costly situations for companies that find hackers or security researchers have retrieved customer information, databases containing user passwords, or even proprietary company secrets.
That includes the global consulting and management firm Accenture, which in October 2017 left four of its S3 storage areas, known as “buckets,” open to public examination and download. Over 137 gigabytes of data could have been retrieved, including 40,000 unencrypted passwords. Accenture’s cloud platform, hosted on Amazon’s services, include 92 of the Fortune Global 100 and three-quarters of the Fortune Global 500. A security researcher discovered the public data and informed Accenture.
In August 2018, a researcher discovered that a company that sells surveillance software it markets for parents, Spyfone, left an Amazon S3 bucket publicly available, and intimate and personal data extracted from thousands of people its customers were monitoring were exposed, according to Motherboard. This included several terabytes of camera photos.
Last November, Amazon released a change that gave system administrators better notification about any storage buckets set to public access, using an orange label in its file-browsing dashboard.
The change released on Nov. 16, however, allows top-down control for an entire storage area, including disabling overrides for individual folders or files within it. This will prevent companies from leaving data open for global snooping—if they’re attentive enough to know about the new feature and enable it.
The number of security breaches due to customer settings at Amazon S3 has been so high that articles at tech sites devote themselves to listing them all.
Notable breaches include Uber, which exposed personal data of about 57 million customers in October 2016, and didn’t disclose the matter [until November 2017](Dara Khosrowshahi), after it had hired a new CEO; Deep Root Analytics, which exposed personal data on 198 million American voters; and the WWE wrestling entertainment firm, which exposed personal details of 3 million of its fans.
