Back in 2006, when Amazon S3 (Simple Storage Service) was created, an indisputable change occurred in the IT market: a blessedly simple way emerged to host and access corporate objects on the Internet. Thirteen years later, the service is being used massively—by small businesses to giants like Apple and Dropbox. 

That’s why the terms “unmatched security, compliance, and audit capabilities” immediately stand out on the service’s website. For protection, all the data must be in secure repositories—and if they are sensitive, they must be duly encrypted and monitored. The protective resources are available, but unfortunately no technology has been created that is able to prevent human error and faulty configuration.

In June of this year, researchers discovered a bucket with one terabyte of sensitive files affecting Netflix, Ford and TD Bank (composed primarily of email backups). The location belonged to the Attunity data management company. But, in an era of compliance with the General Data Protection Regulation (GDPR) and similar legislation, is the partner solely responsible for this type of problem? And what must be done in times like these?

Amazon S3 and storage buckets: the questions

Despite being the most popular, Amazon S3 is not the only buckets service out there. Microsoft Azure and Google Cloud Storage have the same capacity as well. They are widely used for one simple reason: no company wants to go back to the old days of having to maintain rooms filled with computers just to store data. Aside from that, these are low-cost systems that are very scalable, and they guarantee the highest availability. 

To understand how simple the service is, take a look at how a bucket page, in XML format, serves as a “tree” for the file links:

This is a public bucket found by Axur, with images of signatures, documents, marketing folders and other company information—and even references to other companies and brands. 

This, of course, is just a tiny sample of what’s actually stored there. Other types of data are also entrusted to these locations that, despite appearing less relevant and not qualifying as “information leakage,” can provide valuable information about a company’s internal environment when it’s paired with other data.

In the wrong hands, those files can cause enormous damage. In its standard configuration, the S3 buckets are intended to be closed, but many become public for two primary reasons: (1) carelessness and inattention; or (2) the belief that the URL will never be found.

Leaks caused by third-party suppliers

If you have a company and are reading this article, you must recognize the need to verify that your data (or even buckets) are being properly protected. 

Cases such as that of Attunity and the example above show that even if our environment is protected, it’s common for third-party companies to manipulate our data or gain access to our information. That’s why it’s necessary to increase the area of detection to identify potential data exposure beyond the services that we control.

Seventy percent of small and medium businesses do not fully understand the third-party applications they are using or how and where they store their information. And at least 55% attribute the cause of their data leakage to the inattentiveness of suppliers and third parties.

With the GDPR already in force and the oncoming avalanche of national and international regulations regarding data, even those who are negligent due to their confidence in the wrong partner can receive million-dollar fines from the government. 

How to deal with open buckets

It is possible to request that Amazon remove buckets that are exposing your company’s information. But be careful before you act. Open third-party buckets may contain files that are important to a product’s functioning or to a service that may be compromised if taken off the air. There is, after all, a reason you use them.

Therefore, try to contact the person responsible for the bucket first, so they can close the location and avoid causing more damage. Compliance and risk management are serious business. Constant assessment and monitoring must be a top corporate priority.

In an increasingly digital world, it’s important to maintain awareness and control over what happens with your data. Because many buckets are open but not indexed (accessible only by the URL, with no link), a few robust monitoring tools can be essential.

Axur products can help you to monitor everything that happens outside your company’s perimeter (as in the case of buckets—yours as well as those of third parties). Find out about Axur’s Threat Intelligence monitoring, and see how this solution can help you with buckets.

Guest expert_

Luísa Rosa

Graduated from the University of Utah in Information Systems and Operations Management, Luísa is an analyst with Axur’s Threat Intelligence team, detecting, analyzing and combatting digital threats on the deep and dark web.