Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Privacy Security

AWS Rolls Out New Security Feature To Prevent Accidental S3 Data Leaks (zdnet.com) 32

Posted by msmash from the interesting-moves dept.
Amazon's Web Services division rolled out new security features to AWS account owners last week that are meant to prevent accidental data exposures caused by the misconfiguration of S3 data storage buckets. From a report: Starting today, AWS account owners will have access to four new options inside their S3 dashboards under the "Public access settings for this account" section. These four new options allow the account owner to set a default access setting for all of an account's S3 buckets. These new account-level settings will override any existing or newly created bucket-level ACLs (access control lists) and policies. Account owners will have the ability to apply these new settings for S3 buckets that will be created from now onwards, to apply the new setting retroactively, or both.
This discussion has been archived. No new comments can be posted.

AWS Rolls Out New Security Feature To Prevent Accidental S3 Data Leaks More

AWS Rolls Out New Security Feature To Prevent Accidental S3 Data Leaks

Comments Filter:

  • S3? (Score:4, Funny)

    by jfdavis668 ( 1414919 ) on Monday November 19, 2018 @10:35AM (#57667768)
    I didn't know my video card could leak. I'll have to open it up and check.

  • This is a much needed thing... even I can do it. (Score:4, Funny)

    by ctilsie242 ( 4841247 ) on Monday November 19, 2018 @10:40AM (#57667818)

    This is an absolute no brainer, and IMHO, a must have. Log onto AWS, go to S3, check four checkboxes, type in "confirm", hit OK, and not worry about public buckets again, unless someone explicitly logs in as a root/admin user and unchecks them.

    Hopefully more AWS customers do this.

    • Re: (Score:1)

      by Anonymous Coward

      So what happens when your app completely fails because the developers never built in authentication, and just relied on it being public?

      These sort of system miss-configs are rarely as simple as logging in, and spending 5 minutes changing the config. It's possible the buckets were made public and don't need to be and this would work without a problem. The more likely scenario is that somewhere, some piece (or all of it) isn't authenticating, and is relying on the buckets to be public. Finding that piece i

    • I wonder how many of these are left over from testing. I developer is having trouble getting something to work, so they *temporarily* open up the SG to test it, removing one variable. After they get it working they forget to secure it again.

      Anyway, our AWS security service (Alert Logic) checks for this and I know we catch public buckets fairly often.

      • In the past it was a lot easier to accidentally get the settings wrong. I expect it will be less and less of a problem as things move forward and the default settings become more secure.

  • And, very apparently, it is needed. That somebody that already fails to get access permissions for an S3 bucket set right (which is not hard to do) will obviously screw up a lot of other things as well is pretty much a given.

    • In my experience, and I had a time where I bounced among a number of companies, the person with AWS access often times has no clue what they are doing, is likely using the root account itself, rather than a sub account with admin privs, and just needs things to work so the dev team can get their code going. Their goal is to get stuff up and running, even if it means ignoring security issues, since the SCRUM master and their boss is going to call them out on missed deliverables on a daily basis, but securit

  • For the love of god, just make sure read rights don't include file listing rights, and the public can never be given file listing rights. This solves 99.9999% of S3 data leaks. No sane web server gives public file listing rights these days for a reason.

    • Re: (Score:2)

      by mysidia ( 191772 )

      Because S3 is not a website; It is a storage service --- and some organizations have some repositories or datasets which they wish to use S3 to make public - possibly using a Requestor Pays [amazon.com] bucket, OR selling access to a S3-based product through DevPay [amazon.com]. Either way, you need to be able to provide other people from the public access to the storage bucket.

      • Re:Jesus christ (Score:4, Informative)

        by Njovich ( 553857 ) on Monday November 19, 2018 @12:47PM (#57668798)

        I didn't say disable access, I said disable public file listings. I think people that want to sell access can manage to make a listing of the files they want to make accessible. Or make it a very hard to enable option or something like that.

  • what about adding all users (in your account / group) and make the other all users read ALL AWS users (PUBLIC)

Slashdot Top Deals

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Close