Amazon tries to ruin infosec world’s fastest-growing cottage industry (finding data-spaffing S3 storage buckets)

AWS comes up with blanket policies to smother public-facing cloud silos

Amazon Web Services is taking steps to halt the epidemic of data leaks caused by the S3 cloud buckets it hosts from being accidentally left wide open to the internet by customers.

Thus, if you are among the growing bunch of infosec researchers on the hunt for misconfigured public-facing S3 silos packed with slurpable private info and other goodies, it may about to become a little more difficult or tedious to hit pay dirt.

This assumes people take notice and use the new security features, of course. We’re not holding our breath.

AWS evangelist (translation: marketing guy) Jeff Barr introduced today a new set of controls to set blanket policies across accounts that will block public access to cloud storage from being enabled. These can be applied to S3 buckets and access control lists (ACL).

With the protections in place, objects placed in the buckets are blocked from enabling public access or cross-account access. The idea, said Barr, is to make it clear to both admins and end users of S3 buckets that public access is intended to be very limited in scope, and should only be enabled for things like web hosting – and not general storage of internal documents.

The problem is that S3 can be used for storing files you want to make public on your website, and can also be used for holding private data in the cloud, which ends up being made public. It would be cool if AWS found a way to, by default and automatically, enforce a harder separation between the private storage of files, and public-facing web page materials. In the meantime, we have these aforementioned blanket policies.

https://www.theregister.co.uk/2018/11/16/aws_s3_bucket_security/