Every wonder how all of those Amazon S3 bucket leaks get discovered?
In January, Avi Lumelsky wondered the same. He set out to explore the space and wrote up his findings. It’s a great post that deserves a few minutes of your time.
I don’t recommend trying to recreate Avi’s findings. AWS has a clear policy on penetration testing that you must follow. His finding do however, illustrate the point of this post.
Scanning
The process boils down to the following;
- Scan the IPs addresses associated with various AWS services
- When there’s a response, check the returned response
- Map that to know systems
This is a tried and true cybersecurity research technique. There are any number of tools that can help with this mass scanning but they all follow this general pattern.
Unintended Exposure
The results range from the expected public webpages and APIs to things firmly in the “whoops” category; administration access, direct connections to sensitive databases, etc.
I use the term “whoops” because it’s a safe bet that the teams who have built and deployed these systems didn’t intend for their sensitives systems to be exposed directly to the internet without further authentication.
These teams have made a misconfiguration. A mistake.
The Power Of The Cloud
These issues are common in the cloud. They are a result of the top benefit of the cloud; easy access to lots of technology.
In an on-premises environment, you typically have a team running the network perimeter, a different team running your data stores, another in charge of compute, etc.
In the cloud, you can gain access to all of those systems with a single command. It’s up to you to understand the consequences of deploying those systems.
Safety Net
That doesn’t mean we should shy away from the cloud. We just need to be aware of the risks of misconfigurations….and there is significant risk. Depending on the source, anywhere from 65—75% of all data breaches in the cloud are a result of a misconfiguration.
To help prevent this, you need to start thinking about infrastructure testing. You already do unit and integration testing on your code, why aren’t you testing your infrastructure?
Verifying that you haven’t chosen the wrong setting, opened up network access, or misconfigured permissions before those systems are in production is critical to keeping your data safe.
Getting into an infrastructure testing mindset can help do just that.