Lightspin, a pioneer in contextual cloud security that simplifies and prioritizes cloud security for cloud and Kubernetes environments, announced today the discovery of a new method of cross-account attack, leveraging AWS S3 buckets. If leveraged, this attack can cause a real and measurable impact to a business’ bottom line, by opening up certain AWS buckets to unauthorized writes from any AWS account.
Lightspin found this potential misconfiguration as part of its ongoing research into AWS S3 buckets, while researching examples of S3 buckets using the standard AWS bucket permissions. Misconfigured S3 buckets have caused many high-profile attacks, including Booz Allen Hamilton that exposed 60,000 files related to the Dept of Defense and Verizon’s recent exposure of more than 6 million customer accounts.
After inspecting 40,000 Amazon S3 buckets, Lightspin found that, on average, the “objects can be public” permission applies to 42% of an organization’s objects on AWS overall.
During the research, Lightspin discovered that it’s possible for hackers using AWS Cloudtrail and Config to write to buckets held by other accounts even if those buckets aren’t public. This is due to the fact that even private buckets can have policies that allow access from any AWS account. Cross-Account attacks on AWS services are difficult to detect and thus can remain undetected for a long time.
“AWS doesn’t provide the ability to drill down from a bucket to see the status of all the objects it contains.” said Vladi Sandler, CEO of Lightspin. “In order to be sure that objects are “safe”, its necessary to go through each object’s ACL to check if it is open to the public. We recognize that organizations need better context, so we have developed an open-source scanner that provides exactly this – the visibility and the context to know exactly what objects are publicly accessible, at a glance.”
While Lightspin only checked Cloudtrail and Config, other AWS Services that use S3 buckets to store their data by default may also be at risk from this misconfiguration attack path, and in those cases, may even provide read permissions.