Yes, Finding Public S3 Buckets Is Automated and Easy

Attackers are automating the discovery of public AWS S3 buckets. Are you automating your security defense? We found a list of over 60,000 public S3 buckets.

Verdict (a UK-based tech journal) is reporting on yet another public S3 bucket attack that exposed hundreds of thousands of customer call recordings which included lots of personal data. Awesome. The calls were from 2016, but if you’re anything like me, your address, real email, and phone number are still the same — and now available for purchase.

Two things continue to occur to me as these S3 bucket issues crop up about weekly it seems. The means to discover and exfiltrate data are clearly automated and indiscriminate. And it’s time we get automated on the protection side or we will lose this battle (check out our guardrails here).

In Verdict’s article you will see a link to buckets.grayhatwarfare.com (see the developer’s site description), a tool that automatically searches public S3 buckets. So you have to assume that automation for identifying and exploiting anything in the cloud probably exists, and will be made public sooner rather than later. This (shockingly) again puts a premium on making sure you don’t make cloud configuration mistakes to be discovered by such automated tools.

Configuration mistakes keep happening because cloud security management at scale is very complex. People need to remember 3 things:

  1. S3 buckets are not centrally “secured”. Every bucket maintains its own security, making securing them a challenge of scale.
  2. New buckets can be created in seconds, requiring constant vigilance — which means automated assessment and remediation.
  3. The complexity of bucket security can lead to mistakes.

It also reminded me of the one great truth in cybersecurity: Hackers are lazy. I seriously doubt anyone decided to go hunt for travel agency phone recordings to get rich. This was indiscriminate data theft. They used a tool to find things, and then figured out how they could profit from what they found.

What does that mean for us on the protection side? At DisruptOps, it’s clear that automation is being used against us so the only way to keep pace is to automate your defenses. To stay on an equal footing with attackers. Automation is the linchpin of a central cloud security governance program. If your governance lacks the ability to automatically respond to a wide variety of configuration mistakes and attacks, come check out our platform.