Cloud storage solutions like AWS S3 have become indispensable for businesses, offering scalable and reliable data management. However, like many innovative technologies, it introduces significant risk, particularly concerning data exfiltration. Data exfiltration, the unauthorized transfer of data from a system, poses a critical threat to organizations relying on S3 for their data storage needs. Misconfigured permissions, unsecured public buckets, and shared credentials (purposeful or via phishing attacks) can expose sensitive information to malicious actors. In this blog, we will explore the top data exfiltration risks associated with AWS S3 along with some of the capabilities that AuthMind can help enterprises protect their sensitive data.

S3 Data Exfiltration Risks Explained: It’s All About Identities That Can Access Your Data

AWS’s S3 tagline is “Object storage built to retrieve any amount of data from anywhere”. This very flexibility and scale also carries risks that are easily exploited by threat actors and malicious insiders to exfiltrate data.  Amazon has published a top 10 best practices for securing S3 storage to help guide users to protect their data, and while thorough, it leaves a lot of opportunity for mistakes and blindspots as evident by the frequency of data breaches due to exposed or misconfigured storage.  A few examples include: 

• Disclosed Airport files including airport worker ID photos, PII, and other sensitive data
• US No Fly List disclosed by 3rd party vendor
• DC Health Exchanges discloses PII of Congressional representatives and city residents
• UK Govt facility management and security contractors leaks employee PII 
• University admission platform leaks student PII

To better comprehend the types of exposures, risks, and resulting breaches, it is useful to categorize the exposures into two main groups:

Misconfigured Public Buckets. Threat actors actively scan AWS for exposed buckets using commonly available toolkits.  Following AWS’s recommended best practices to prevent these accidental misconfigurations, and actively monitoring for unexpected or new exposed public buckets, are a must for any enterprise.  

Unauthorized Access to Private Buckets. These buckets are being accessed due to stolen user credentials, access key+secrets or purposely being shared by an authorized user looking to bypass data loss controls.  Unlike accessing public buckets, these can be much harder to detect as differentiating between an authorized, trusted access and an unauthorized access can be very subtle.   When sharing out buckets, the most common methods of enabling trusted access are either via granting access to an AWS user or granting programmatic access via an Access Key & Secret. 

Image: Selecting AWS Access Type

Based on these authentication methods, a few examples of how an exfiltration incident can occur: 

• S3 access key ID/secret are shared with authorized 3rd party and 3rd party doesn’t adequately protect them
  • Compromised AWS user credentials allow a threat actor to access AWS S3 storage directly and/or grant additional access via a new user or access key
• Phishing or Social engineering tactics target authorized users with access to steal their credentials
• Malicious insider purposefully shares an access key ID + secret with a 3rd party
• Malicious insider purposefully shares an short term access token with a 3rd party

The last method is unique and one of the most challenging to detect. To grasp this better, it's crucial to understand the difference between an AWS Access Key ID and an Access Token. Initially, access may be authorized using an Access Key ID and Secret. Upon successful authorization, the access is granted with an access token (also known as temporary credentials or API keys) to access multiple services or APIs. These access tokens are typically issued with a short duration expiration (usually not more than a few hours) to be used in lieu of credentials or an assertion to enable rapid access to services like S3 buckets until they expire. Because access tokens are intended to be used at high speed and high frequency, they are usually not secured by strong cryptography (like certificates or signing) which introduces a new risk: these access tokens can be shared with other internal or external identities to allow access to sensitive resources in unintended ways. The fact that no changes are made to the S3 configuration makes it difficult to detect by conventional techniques.  Simply copying and sharing the access tokens via a text message or a phone camera capture to a 3rd party can be enough to provide access to a S3 resource for a few minutes or hours – and more than enough to exfiltrate data.

Leveraging AuthMind’s AWS Visibility to Detect Leaky S3 Buckets and Identity Access Issues 

AuthMind’s extensive integration with AWS enables it to analyze  AWS VPC Flows, S3 audit logs (via AWS CloudTrail) and AWS Managed AD.  With these inputs, enterprises gain expanded visibility across their AWS environment, enabling them to monitor who is accessing resources, when, and from where to both their AWS assets and resources like S3 storage buckets. 

Detecting unauthorized access to S3 storage buckets or objects is enabled through comprehensive monitoring capabilities that cover the variety of attack methods. AuthMind’s unique and comprehensive approach to identity observability combined with advanced analytics can identify and alert on various exposures and suspicious activities involving S3 storage buckets or objects including: 

• Detecting exposed accesses to S3 storage.  It is easy (and not uncommon) for users to unintentionally expose S3 storage buckets and their contents, potentially creating exfiltration pathways. AuthMind monitors external access to S3 storage and will alert on new exposed storage that is being accessed from afar.
• Detecting Suspicious Access from Unexpected Sources.  AuthMind identifies access patterns based on geographic location, ISP, and specific network ranges. Additionally, it can detect and alert on unusual user access that doesn’t match observed patterns, such as "impossible travel" situations where access locations change faster than feasible.  By monitoring these combinations, AuthMind can alert on anomalies that may indicate shared or stolen credentials or tokens
• Detecting Shared Access Tokens.  As described earlier, detecting access token sharing through conventional methods can be very challenging. AuthMind identify suspicious access patterns that indicate access token sharing, potentially preventing data exfiltration. By analyzing access to AWS S3 buckets and objects, AuthMind can detect instances where an identity shares its access token with another internal or external identity, allowing both parties to access the resources within the token's timeout window.
• Detecting Suspicious Deviations of Accesses.  AuthMind also monitors the volume and rate of accesses to individual S3 buckets and objects and can alert on major deviations to observed access patterns from public sources  which can be another indicator of a data exfiltration incident. 

The combination of these methods enables an enterprise to detect a wide variety of threats and risks that could target their most sensitive data stored in AWS S3 storage.

Time to Value: Visibility in Less than 10 Minutes

The integration of AuthMind with AWS resources like VPC flows, S3 storage accesses, and AWS Microsoft AD is agentless, eliminating the need for additional hardware or complex configurations. The setup is straightforward and easy to complete in less than 10 minutes. 

To take advantage of this new capability, please contact your AuthMind solution architect to set up the integration. Our team is ready to assist you in deploying this powerful tool to enhance your security posture within the AWS ecosystem.

To learn more about AuthMind and its ability to detect AWS S3 Exposures or other Identity Risks,  request a call today.