Amazon S3 security update tries to protect admins from their own mistakes

Amazon yesterday announced the implementation of five new security features to its S3 web servers. Considering at least 185,000 sites run on Amazon Web Services (AWS) S3, this is a much needed update.

The primary problem addressed by the new features is lazy administrators. Over 53-percent of cloud service administrators have unintentionally exposed their company’s data to the internet.

It’s scary to think the odds of your data on sites like Healthcare.gov being potentially unprotected are better than your chances of accurately guessing the results of a coin-flip.

In a company blog post AWS evangelist Jeff Barr laid out the five new features:

The highlights here are default encryption and detailed inventory report. While all five are welcome additions (and free, it’s worth mentioning), the biggest problem with AWS has nothing to do with Amazon: it’s human error.

When Upguard’s internet super sleuth Chris Vickery discovered a huge breach at global management and consulting company Accenture he didn’t have to rely on any hacking skills or elite technology, all he had to do was type a web address into his browser.

Vickery told TNW:

It’s not Amazon’s fault, it’s really an issue of misconfiguration … I’m not checking to see if the doors are locked or not; I’m just walking down the public sidewalk seeing it’s wide open.

With the new tools administrators won’t have to specifically set up a “non-encrypted” bucket for files that don’t fit the encryption profile. Instead, they can set up servers to automatically apply encryption to files that are dropped into it. This should help prevent important data laying around unencrypted because an administrator didn’t immediately notice the exceptions.

Admins will also receive encrypted inventory reports that detail the status of all objects – presumably with the option to highlight unencrypted objects in any buckets.

It almost always seems as though the huge data breaches – like the Equifax breach – are caused by lackadaisical security practices. The S3 encryption and security updates are a welcome ally in the fight against our own mistakes.