Skip to main content

Who's watching your data?


Open to the internet

Let's face it, cybersecurity can be a scary business, so what better time of year to highlight the fears of cyber crime than Halloween?

We've all heard the scary stories, read the chilling books, and watched the horror movies where someone is being watched - picture the scene with the creepy guy standing outside the house, looking back in through the window. Most of us close our curtains and lock our windows and doors at night before going to bed, hoping not to encounter the creepy guy. But If we go to great lengths to stop someone peeping into our private lives, or getting into our home, then why don't we do the same with our data; especially our data that's in the cloud. It's scary to think that a lot of data, especially on public clouds is left open to the internet. According to our security market research, nearly 80% of databases in amazon cloud are left unencrypted, of which 30% are open to the internet. The smart hackers who know about this scour these unprotected havens looking for data they can exfiltrate.

We previously covered a story about Booz Allen Hamilton, who recently had a data leak in AWS. Lack of good security controls left their S3 bucket data open to the internet, which resulted in the exfiltration of over 60,000 sensitive files.

Using the Booz Allen Hamilton incident as an example, let's discuss how you would go about implementing the right security controls and detection mechanisms to avoid such a mistake.

Convenience can sometimes lead to insecurity

At the heart of Booz Allen Hamilton's incident investigation is speculation that they traded convenience for security best practices.  Initially creating a S3 bucket is easy. As you can see in screen-shot below, public access is not the default mode and AWS does not recommend making the bucket public.




So why would this happen?  We believe there are 2 main cases for this:

  1. Setting up the bucket before you have all necessary information about who will be accessing it and how they will be expected to access it.  This includes what credentials they will have and what IP address(es) they may be using.  In this case, it may be easier to just make the bucket public and come back to it later.  But, especially for overloaded security folks in large organizations, later will never come.
  2. The business purpose of the bucket changes without the security team’s knowledge.  If you create the bucket believing that nothing sensitive will be stored here, then it needs to stay that way.  If the business use of the bucket changes, the permissions around the bucket should be revisited.

Since AWS does not recommend the use of Access Control Lists (ACLs), users should be creating S3 bucket policies to establish granular permissions around the bucket and its contents.  However, policies can be a little cryptic if you are not familiar with them.  In order to help with this, AWS provides the policy generator tool.  As shown below, this tool makes it easier to select the actions you would like to allow (or deny), specify the resource (a bucket in this case), and the principal.  The “Principal” is the actor to which you are applying the permission.




If you use “*” in the Principal field, this will apply the permission to any unauthenticated user.  So, if you selected the actions of “GetObject” and “ListBucket”, this would essentially allow anybody on the Internet to enumerate and download the contents of the specified S3 bucket.  This may be the most convenient option if you don’t have all relevant data to create a more granular policy.  However, this may not be acceptable exposure for the contents of that S3 bucket, so we recommend gathering the necessary pieces before opening the bucket like this.

Final thoughts

It's very easy to take shortcuts while setting up a S3 bucket in AWS. We saw how impactful this can be, as with the case of Booz Allen Hamilton.  To help prevent this type of incident happening in your environment, we recommend the following:

  • Enable file-level data collection in CloudTrail for your buckets, since it’s not enabled by default.
  • Use granular policies whenever possible.
  • Don't use * for Principal, unless it’s only going to house public data.

In addition, Sift Security's CloudHunter product can help make the job of protecting your S3 bucket data easier.  Some of the functionality we provide out of the box includes:


  • Alert you to ACL and policy changes.
  • Automatically detect when a bucket or object is being exposed to the Internet.
  • Allow you to lock permissions, so the permissions are automatically corrected before unauthorized access happens.










Popular posts from this blog

Sift Security Tools Release for AWS Monitoring - CloudHunter

We are excited to release CloudHunter, a web service similar to AWS CloudTrail that allows customers to visually explore and investigate their AWS cloud infrastructure.  At Sift, we felt this integration would be important for 2 main reasons:
Investigating events happening in AWS directly from Amazon is painful, unless you know exactly what event you're looking for.There are not many solutions that allow customers to follow chains of events spanning across the on-premises network and AWS on a single screen. At Netflix, we spent a lot of time creating custom tools to address security concerns in our AWS infrastructure because we needed to supplement the AWS logs, and created visualizations based on that data.  The amazing suite of open source tools from Netflix are the solutions they used to resolve their own pain points.  Hosting microservices in the cloud with continuous integration and continuous deployment can be extremely efficient and robust.  However, tracking events, espec…

Sift Security and WannaCry

😢 The WannaCry ransomware attack has left security teams around the world scrambling to make sure they are protected and to assess whether they have been victimized. To protect themselves, organizations need to have visibility into which systems are vulnerable and be able to rapidly roll out patches.  To understand whether they have been targeted, they need visibility into the channels over which the ransomware is distributed.  To understand whether they have been infected, they need visibility into the endpoints.
Over the past weekend, I was bombarded with questions from current customers, potential customers, former colleagues, friends, and family.  Am I vulnerable? How do I protect myself? How do I know if I’ve been hit? What do I do if I’ve been hit? What can you do to help me?
This post focuses primarily on the last question. What can we at Sift Security do to help an organization respond to a massive ransomware attack? I break this down into four categories, visibility, analyt…

Next-Generation SIEMs

Intelligence, Speed, Simplicity, AutomationOverviewMajor network and security trends, including exponentially increasing network traffic, cloud architectures, complex attack surfaces, and advanced adversaries, have created new challenges for security operations in adapting to this changing threat landscape.
Increased Traffic, Hybrid Cloud Architectures, and Sophisticated Adversaries Are Overwhelming SOCs
The Security Operations Center is faced with alert overload, often paralyzed with too much information to filter, prioritize, and act upon. The end result is an inability to find the true risk amongst thousands of alerts every day with the largest of organizations easily facing millions of alerts per day.Incident responders are challenged at finding relevant information or seeing the relationships amongst disparate indicators of compromise that are buried within logs, causing delays in assessing, understanding, and mitigating incidents.T…