Services like Amazon’s S3 have made it easier and cheaper than ever to store large quantities of data in the cloud. Used properly, S3 buckets are a useful tool that can save time and money.
Used properly, I said. The problem is that plenty of companies fail to implement basic security. This, as I’m sure you’ve guessed, has resulted in an astonishing spate of (frankly) catastrophic data breaches. In October, researchers discovered an open S3 bucket containing the personal information of 1,113 NFL players and their agents. And in July, the details of three million WWE fans were chokeslammed onto the internet, after a third party contracted by the popular wrestling franchise set their buckets to ‘public,’ allowing anyone with an Internet connection to access and download content from it.
Sometimes, the leaked data is of a profoundly intimate nature. One leak, which emerged just last week, contained the blood test records of over 150,000 people.
Kromtech Security, a Cologne-based infosec firm, today released an open source script that should hopefully solve this problem for good. The tool, called S3 Inspector, is essentially a short Python program that uses your credentials to enumerate your S3 buckets. It will then identify which ones are secured properly, and which ones urgently require your attention.
Speaking over email, Bob Diamchenko, Head of Communications for Kromtech, explained the motivation behind S3 Inspector.
Amazon S3 is a popular storage service that is used by many enterprises, governments, and individuals across the globe. The service is fast, scalable and easy to use, but far too often we have seen cases where administrators fail to configure it properly or simply forget about configuration changes. This usually results in confidential user data or internal data is leaked online to anyone with an internet connection.
We began to see an increase in the number of instances of S3 misconfigurations. Recently we published a detailed guide, which explains how to protect your S3 buckets in detail. However, despite numerous warnings and a never ending cycle of data leaks, it seemed like those who store sensitive data online were not getting the message or unaware of the dangers.
When talking to the affected companies about the reasons for them to leave their repositories unprotected, we learned that oftentimes businesses have so many AWS S3 instances within their environment that it becomes hard for them to continuously check for their public availability.
We decided to make a simple tool that can help Amazon S3 users quickly check their S3 buckets for public access. We hope that by raising public awareness and giving people the tools to quickly check if they are protected from leaks. As responsible members or the cybersecurity community we hope that our hard work and dedication will reduce the occurrences of data leaks and financial, reputational damage, and cyber crimes.
S3 Inspector is available from today. You can download it from Github here.