Skip to main content

Who's watching your data?




Open to the internet


Let's face it, cybersecurity can be a scary business, so what better time of year to highlight the fears of cyber crime than Halloween?


We've all heard the scary stories, read the chilling books, and watched the horror movies where someone is being watched - picture the scene with the creepy guy standing outside the house, looking back in through the window. Most of us close our curtains and lock our windows and doors at night before going to bed, hoping not to encounter the creepy guy. But If we go to great lengths to stop someone peeping into our private lives, or getting into our home, then why don't we do the same with our data; especially our data that's in the cloud. It's scary to think that a lot of data, especially on public clouds is left open to the internet. According to our security market research, nearly 80% of databases in amazon cloud are left unencrypted, of which 30% are open to the internet. The smart hackers who know about this scour these unprotected havens looking for data they can exfiltrate.

We previously covered a story about Booz Allen Hamilton, who recently had a data leak in AWS. Lack of good security controls left their S3 bucket data open to the internet, which resulted in the exfiltration of over 60,000 sensitive files.

Using the Booz Allen Hamilton incident as an example, let's discuss how you would go about implementing the right security controls and detection mechanisms to avoid such a mistake.

Convenience can sometimes lead to insecurity

At the heart of Booz Allen Hamilton's incident investigation is speculation that they traded convenience for security best practices.  Initially creating a S3 bucket is easy. As you can see in screen-shot below, public access is not the default mode and AWS does not recommend making the bucket public.





So why would this happen?  We believe there are 2 main cases for this:


  1. Setting up the bucket before you have all necessary information about who will be accessing it and how they will be expected to access it.  This includes what credentials they will have and what IP address(es) they may be using.  In this case, it may be easier to just make the bucket public and come back to it later.  But, especially for overloaded security folks in large organizations, later will never come.
  2. The business purpose of the bucket changes without the security team’s knowledge.  If you create the bucket believing that nothing sensitive will be stored here, then it needs to stay that way.  If the business use of the bucket changes, the permissions around the bucket should be revisited.

Since AWS does not recommend the use of Access Control Lists (ACLs), users should be creating S3 bucket policies to establish granular permissions around the bucket and its contents.  However, policies can be a little cryptic if you are not familiar with them.  In order to help with this, AWS provides the policy generator tool.  As shown below, this tool makes it easier to select the actions you would like to allow (or deny), specify the resource (a bucket in this case), and the principal.  The “Principal” is the actor to which you are applying the permission.




If you use “*” in the Principal field, this will apply the permission to any unauthenticated user.  So, if you selected the actions of “GetObject” and “ListBucket”, this would essentially allow anybody on the Internet to enumerate and download the contents of the specified S3 bucket.  This may be the most convenient option if you don’t have all relevant data to create a more granular policy.  However, this may not be acceptable exposure for the contents of that S3 bucket, so we recommend gathering the necessary pieces before opening the bucket like this.

Final thoughts

It's very easy to take shortcuts while setting up a S3 bucket in AWS. We saw how impactful this can be, as with the case of Booz Allen Hamilton.  To help prevent this type of incident happening in your environment, we recommend the following:


  • Enable file-level data collection in CloudTrail for your buckets, since it’s not enabled by default.
  • Use granular policies whenever possible.
  • Don't use * for Principal, unless it’s only going to house public data.

In addition, Sift Security's CloudHunter product can help make the job of protecting your S3 bucket data easier.  Some of the functionality we provide out of the box includes:


  • Alert you to ACL and policy changes.
  • Automatically detect when a bucket or object is being exposed to the Internet.
  • Allow you to lock permissions, so the permissions are automatically corrected before unauthorized access happens.










Popular posts from this blog

Sift Joins Netskope, the Cloud Security Leader

Four years ago, we started Sift with the mission of simplifying security operations and incident response for the public cloud. In that time, we have assembled a fantastic team, created an innovative cloud detection and response solution, and have worked with many market-leading customers. I’m delighted to share that we’ve taken yet another step forward — as announced today, Sift is now officially part of Netskope. You can read more about this on Netskope CEO Sanjay Beri’s blog or in the official announcement on the Netskope website.
For our customers, investors, partners, and team, this is an exciting new chapter. Let me tell you why we’re so excited.  Since the beginning, Netskope has had an unmatched vision for the cloud security market. Having started in 2012, they initially focused on SaaS security and quickly followed that with IaaS security capabilities. Six years later, they are now more than 500 employees strong and used by a quarter of the Fortune 100. They are a leader in …

Sift Security Tools Release for AWS Monitoring - CloudHunter

We are excited to release CloudHunter, a web service similar to AWS CloudTrail that allows customers to visually explore and investigate their AWS cloud infrastructure.  At Sift, we felt this integration would be important for 2 main reasons:
Investigating events happening in AWS directly from Amazon is painful, unless you know exactly what event you're looking for.There are not many solutions that allow customers to follow chains of events spanning across the on-premises network and AWS on a single screen. At Netflix, we spent a lot of time creating custom tools to address security concerns in our AWS infrastructure because we needed to supplement the AWS logs, and created visualizations based on that data.  The amazing suite of open source tools from Netflix are the solutions they used to resolve their own pain points.  Hosting microservices in the cloud with continuous integration and continuous deployment can be extremely efficient and robust.  However, tracking events, espec…

Using the Security Event Graph to Drive Alert Prioritization

One of the biggest differentiators at Sift Security is our security event graph: We map security events into a graph database. We then analyze the graph structure to prioritize alerts. Specifically, we look for clusters of interrelated alerts, score the clusters, and surface the clusters to the analyst. The analyst can then investigate each cluster in order, quickly assessing the threat and resolving the alerts in bulk.  
Our algorithms do the important work of sifting through isolated alerts and separating the false alarms and low priority alerts from high priority security incidents. We identify the high priority incidents by analyzing how alerts are related to each other. Key to this approach is our security event graph. This graph is stored in a graph database, a relationship-centric database that enables rapid execution of complex queries that would be very expensive to make in a traditional RDBMS.  The graph structure enables us to rapidly traverse relationships and find interr…