Amazon S3 Users Exposing Sensitive Data

March 27, 2013 – 5:28 PM

A review of publicly visible content on Amazon’s S3 storage service found that some sensitive data may be publicly accessible and could contain data used in a future network attack, according to Rapid7, which conducted the study. Misconfiguration issues are common when users set up the S3 service, exposing data that would otherwise likely be deemed private, the firm said. Boston-based vulnerability management vendor Rapid7 conducted an analysis of nearly 13,000 Amazon S3 buckets and found 2,000 were publicly available. The researchers gathered a list of more than 126 billion files, and a random sampling found 40,000 publicly visible files, many of which contained sensitive data, the firm said. “This is ultimately a misconfiguration issue,” said Tod Beardsley, engineering manager for Metasploit, the penetration tool maintained by Rapid7. “The surprise here was that it wasn’t just regular people doing this; it was enterprise-level IT pros and third-party contractors who manage your S3 presence for you.”


You must be logged in to post a comment.