Top 5 AWS Misconfigurations That Led to Data Leaks in 2021 | Spiceworks (2023)

2021 witnessed a series of headline-grabbing data leaks that occurred as a result of AWS misconfigurations. Let’s take a look at some of the top data leaks in 2021 along with tips from experts on how organizations can prevent misconfigurations in their AWS environments.

As organizations continue to invest in digital transformation, AWS is becoming an ever more crucial facet. Companies roll out new workloads constantly, using installations in several regions and relying on multiple AWS services. Recent data reveals a significant increase in dependence on AWS services and accompanying security failings among many organizations.

Growing complexity and danger have inevitably resulted from the expansion of AWS services. In fact, in the previous 12 months, research from Vectra indicated that every company surveyed had at least one security issue in its public cloud environment. Client misconfiguration is the fundamental cause of over 99% of cloud breaches. The Vectra research revealed the following blind spots:

• • Before moving to production, 30% of the surveyed organizations had no official sign-off.
  • 40% of respondents claim they don’t have a DevSecOps workflow in place.
  • According to 71% of organizations, ten or more employees may change the whole architecture in their AWS settings, opening up a slew of attack avenues for hackers.

Top AWS Misconfigurations in 2021 That Led to Data Leaks

From the U.S. Department of Defense to Silicon Valley tech giants and beyond, anyone can fall prey to misconfigured S3 buckets. Failing to properly secure AWS environments may result in the compromise of enterprise and customer data. Misconfigurations are becoming more common in the cloud, and enterprises must first understand the fundamental causes of S3 breaches and vulnerabilities. Otherwise, they may face the same fate as some organizations did in 2021.

See More: Game Streaming Leader Twitch Hacked, 125 GB Sensitive Data Leaked

The Cosmolog Kozmetik data leak

In June this year, a famous Turkish beauty brand, Cosmolog Kozmetik, suffered a leak in its Amazon S3 bucket. Thousands of Excel spreadsheets from a 20GB trove disclosed the personal details of 567,000 unique individuals who made purchases from the supplier across numerous e-commerce platforms. While no payment details were compromised, the research team obtained clients’ complete names, physical addresses, and compromised purchase data. Contact information and emails were also disclosed in certain circumstances.

Misconfigured S3 buckets led to data breaches in more than 80 US municipalities

In July, WizCase discovered unsecured Amazon S3 buckets containing data from more than 80 US locales, predominantly in New England. The misconfigured S3 buckets included more than 1,000GB of data and more than 1.6 million files. Residents’ actual addresses, telephone numbers, IDs, and tax papers were all exposed due to the attack. According to the researchers, it was impossible to quantify the number of inhabitants exposed due to the enormous amount and variety of unique papers.

Misconfigured S3 bucket exposed 50k patient records

In February, security researchers at Comparitech discovered over 50,000 data records on two publicly available AWS S3 buckets that lacked any form of password protection or authentication.

Sergio Louriro, the cloud security director at Outpost24, opined, “At first glance, it seems an almost classical mistake of a misconfigured system that should not have been accessible over the internet. Unfortunately, data leak is something we see all too frequently. A cloud service that is brought up for probably all the right reasons, but security is completely forgotten in the process.”

He further said, “As public clouds become so easy and cost effective to spin up, mistakes are easily made with shadow IT and by those without cloud security knowledge. Before connecting any system to the internet, ask yourself the questions: what are we putting in the cloud and are the data sensitive? Then make sure your security team knows about it and make use of cloud security posture management (CSPM) tools as a baseline to harden your cloud services.”

Three million senior citizens’ info exposed by SeniorAdvisor

A security breach at SeniorAdvisor, a review website, compromised over three million elderly adults’ personal information in August. WizCase researchers observed that a misconfigured Amazon S3 bucket exposed details including individuals’ names, numbers, and email addresses. The information pertained to those who were designated as prospects or potential clients. Around 2,000 ‘scrubbed’ reviews were also discovered in which the user’s private information had been deleted or altered.

Defunct Company left S3 bucket exposed to public access

A New York-based digital marketing company, Reindeer, which was out of business, left its Amazon S3 bucket open to the public, leading to the catastrophic leak of 50,000 files totaling 32 GB. The leak impacted 306,000 people who were customers of of numerous Reindeer clients such as the alcoholic beverage company ‘Patrón Tequila’ and the UK apparel brand ‘Jack Wills.’ Full names, physical locations, email addresses, phone numbers, and hashed passwords formed part of the leaked data.

See More: What Makes AWS Buckets Vulnerable to Ransomware and How to Mitigate the Threat

A Zero Tolerance Approach to Cloud Misconfigurations Is the Need of the Hour

As more data is being migrated to the cloud, the risk of cyber attacks on AWS’ S3 buckets has increased as well. A recent survey conducted by Ermetic found that organizations used cloud identities that, if compromised, would place at least 90% of the S3 buckets in an AWS account at risk. The research indicates that millions of organizations currently using S3 for data storage are vulnerable to ransomware attacks. The high possibility of exposure to even simple ransomware operations is a clear call for cloud security stakeholders to take mitigating steps.

“It does not take much effort for outsiders to find unsecured databases and access sensitive information. There are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools (and the continued carelessness of companies in cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries, said Anurag Kahol, CTO Bitglass.

“Such vulnerabilities can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage; for example, cloud access security brokers (CASBs) that boast features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.”

Jon Helmus, a manager of pentest community at Cobalt, points out two most common causes of AWS S3 bucket misconfigurations and how businesses and IT teams should combat them:

1. Keep S3 data private (not public)

Accessing a very complex AWS environment and not understanding the cloud environment’s security guidelines pose many risks. It is possible, and not uncommon, for a user to generate an insecure S3 bucket entirely unknowingly. Organizations should consider training their security engineers in cloud assessments or instituting internal pentest teams that regularly assess the cloud to combat these issues.

2. Opting for usability over security

Security should trump usability, especially when it comes to AWS S3 buckets. Executive leadership and key project decision-makers must keep in mind and prioritize the critical nature of budgeting time for cybersecurity planning from the very beginning.

See More:

Conclusion: Fixing Misconfigurations Takes Time; Organizations Must Act Now

In its recent Cloud Cyber Resilience Report, cloud native security solutions provider Accurics said that of all security risks identified in cloud native environments, as many as 23% corresponded to poorly configured managed service offerings – largely the result of default security profiles or configurations that offered excessive permissions.

“Cloud native apps and services are more vital than ever before, and any risk in the infrastructure has critical implications,” said Accurics co-founder, CTO & CISO Om Moolchandani. “Our research indicates that teams are rapidly adopting managed services, which certainly increase productivity and maintain development velocity.

“However, these teams unfortunately aren’t keeping up with the associated risks – we see a reliance on using default security profiles and configurations, along with excessive permissions. Messaging services and FaaS are also entering a perilous phase of adoption, just as storage buckets experienced a few years ago. If history is any guide, we’ll start seeing more breaches through insecure configurations around these services.”

According to Accurics, 48% of security risks identified in cloud native environments arose due to the widespread use of insecure defaults. In a majority of instances, organizations made improper use of the default namespace- where system components run- thereby giving attackers access to system components or secrets. “Protecting cloud infrastructure requires a fundamentally new approach that embeds security earlier in the development lifecycle and maintains a secure posture throughout,” the firm said.

“The cloud infrastructure must be continuously monitored in runtime for configuration changes and assessed for risk. In situations where configuration change introduces a risk, the cloud infrastructure must be redeployed based on the secure baseline; this will ensure that any risky changes made accidentally or maliciously are automatically overwritten. With new attacks emerging and ongoing risks continuing to plague organizations, cloud cyber resilience is now more important than ever, and configuration hygiene is critical.”

As far as fixing cloud misconfigurations is concerned, Accurics said many organizations have failed to spot or remediate simple misconfigurations for years. For instance, an organization configured a S3 bucket incorrectly at the time it was added to the environment in 2015. Also, a configuration change made five months later to fix a problem was not properly reset once the work was complete. This drift went undetected and unaddressed until it was exploited nearly five years later.

While fixing infrastructure misconfigurations takes around 25 days on average, the most critical portions of the infrastructure often take the most time to fix. Fixing misconfigurations in load-balancing services, for instance, takes an average of 149 days to fix. Considering these realities, organizations must take immediate steps to discover misconfigurations in their cloud native environments, prioritize remediation efforts, and educate their workforce on cloud security practices.

Is your organization prepared to combat security related issues in its AWS environment? Let us know on LinkedIn, Twitter, or Facebook. We would love to hear from you!