Friday, May 3, 2024

 

AMAZON


Amazon S3

Amazon S3 buckets can be very efficient, but also a big risk if misconfigured

Amazon S3 buckets, part of the Amazon Web Services infrastructure, are great for storing and managing large amounts of data at scale, but they can also become a financial and security risk if used with inappropriate default settings.

Using a private AWS S3 bucket with a simple, easy-to-guess name can quickly turn into a financial disaster for even the simplest cloud project. A developer named Maciej Pocwierz discovered this harsh truth while working on a document indexing system for a client and chose to share the experience to make all AWS platform users aware of the issue.

In a recent post on Medium, Pocwierz said that he created a single S3 bucket in the eu-west-1 region of the AWS platform to upload and test some files. Just two days later, the developer checked the AWS billing page and discovered that he had already been charged $1,300. Pocwierz expected to “perform well” on the free tier of the service, but the S3 bucket recorded nearly 100 million attempts to create new files via PUT requests.

As later confirmed by AWS support, S3 charges customers for both legitimate and unauthorized incoming requests. While investigating the issue, Pocwierz discovered that one of the popular open source tools he used had a default configuration for storing backups on S3. The name of the tool's default bucket and the one chosen by the developer to test his project ended up being exactly the same.

Each instance of the aforementioned tool was trying to save backup files to its newly opened bucket, and Amazon was charging accordingly. Pocwierz did not disclose the name of the tool, as it would have become a significant risk for an undetermined number of companies using the same tool.

The developer attempted to test this potential security and privacy nightmare by opening its bucket to public recordings. In just 30 seconds, the now-writable bucket recorded more than 10 gigabytes of data coming from all corners of the Internet. He contacted some of the companies affected by the issue, but they apparently chose to “completely ignore” it.

Pocwierz was fortunate to have the unwanted invoice canceled with the help of AWS support, although the company confirmed that the system was working as expected. AWS chief evangelist Jeff Barr said on

The developer also contacted the team behind the unnamed tool, and the developers decided to change the software's default configuration to fix the issue. He also said that S3 customers could significantly increase a project's security by adding a random suffix to their bucket names.

mundophone

No comments:

Post a Comment

  APPLE How the New iPhone SE Could Give Apple Something More Appealing Than a Tech Lead Apple is spending a lot of its marketing capital on...