AWS warns users about open S3 buckets

By

Following Dow Jones bungle.

Amazon Web Services is contacting customers with S3 buckets that are configured to be freely accessed by anyone on the internet to review access controls following the leak of two million Dow Jones user details.

AWS warns users about open S3 buckets

This week cyber security firm UpGuard revealed the personal details of at least 2.2 million Dow Jones customers had been exposed online as a result of an unsecured S3 repository.

It said the number could be as high as 4 million. The data exposed included people's names, addresses, account information, email addresses, and the last four digits of their credit card numbers.

The data was stored in an AWS S3 bucket configured to allow access to 'authenticated users', which in AWS language means anyone with an AWS account, which is free to obtain.

Last week a similar data breach at US telco Verizon exposed 6 million customer records through an unprotected S3 server.

And in June, a trove of top secret data managed by government security contractor Booz Allen Hamilton was left accessible to the web through the same misconfiguration.

Emails circulated to AWS customers, sighted by iTnews, warns those with open access to S3 buckets to reconsider this configuration.

"We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet," the cloud giant said.

"While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.

"We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend."

S3 access control lists can be changed through the management console or command line interface.

By default S3 buckets are set to allow read access only to the account owner.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
awsclouds3securityserverstorage

Sponsored Whitepapers

Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond

Events

Most Read Articles

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks
WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices
Victoria's first government tech chief steps down

Victoria's first government tech chief steps down
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?